Call for other implementations to test against

[Andreas Åkre Solberg]

I got an OpenID Connect consumer written in javascript, and I'd be interested in testing this against Provider implementations. Anyone interested?

I also got a very experimental Provider (also in javascript, and working with the consumer). As soon as this becomes more mature, I'd be happy to make it available for people to test against. Please let me know if there is any interest for this.

I'm not attending the OpenID Summit, so I'm interested in connecting with people online.

Feel free to respond on the list, or to me directly. You can also add me on skype: andreassolberg
I'm in the 'Europe/Amsterdam' timezone.

Andreas

[Nat Sakimura]

Nov Matake has an experimental OP. 

The configuration info is here: 

https://connect-op.heroku.com/.well-known/openid-configuration

I do not know if it is ready yet, but it will be ready for the interop, I think. 

NRI's experimental OP will be up by the end of the day Friday JST as well. 

=nat

2011/9/8 Andreas Åkre Solberg <andreas...@uninett.no>

--
Nat Sakimura (=nat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

[Roland Hedberg]

8 sep 2011 kl. 10:48 skrev Andreas Åkre Solberg:

> I got an OpenID Connect consumer written in javascript, and I'd be interested in testing this against Provider implementations. Anyone interested?

Jag är självfallet intresserad :-)

-- Roland

[Nat Sakimura]

Also, Ryo Ito (another WG member, an ex-Yahoo! Japan guy) has an implementation: 

OP: https://openidconnect.info/

RP: https://openidconnect.info/demorp/

=nat

[Roland Hedberg]

For those who don't automatically use Google translator :-)

I'm definitely interested in testing, but will probably not have anything until after the summit meeting.
I have the OAuth2 stuff in place it's some of the OpenID Connect additions I lack.

-- Roland

[nov matake]

As Nat mentioned, my OP is here.

https://connect-op.heroku.com/

This is written in Ruby (on Rails) and open-sourced on github.

https://github.com/nov/openid_connect_sample_rails30

On this OP, you can make account using your Facebook / Google account.

When using Google account, this site is also a Connect RP against Google's Connect OP.

Once signed-up, you can register your OAuth client (= Connect RP Client) by clicking "Register New Client" link on dashboard.

In this configuration, you can all configuration info needed for Basic Client.

(Dynamic client registration is not ready for interop yet though)

https://connect-op.heroku.com/.well-known/openid-configuration

I also have an RP implementation against my OP.

https://connect-rp.heroku.com/

This is also in Ruby and open-sourced here.

https://github.com/nov/openid_connect_sample_rp_rails30

I'll join interop remotely.

My Skype ID is "biancag4" and I'm in Asia/Tokyo timezone.

I'm looking forward to the first interop event for me :)

--

nov matake

[Roland Hedberg]

8 sep 2011 kl. 14:27 skrev nov matake:

> I'm looking forward to the first interop event for me :)

Me too!

Since people are swapping skypeid's, here is mine: hypatiaofalexandria

And as Andreas I'm in CET (or rather CEST until we switch to winter time).

-- Roland

[Nat Sakimura (=nat)]

Mine is nat_sakimura (Skype)

Edmund's Implementation is sort of up as well:

OP: https://connect.openid4.us/abop/
RP: https://connect.openid4.us/abrp/

I can add your OP to the pull down.
For that I need to know the
Client ID
Client Secret
Authz Endpoint
Token Endpoint
UserInfo Endpont
etc.

Best,

=nat

Roland Hedberg のメッセージ:

[Tatsuya KATSUHARA]

Hello all.

NRI Tokyo's Implementation is as follows:

* OP
- OpenID Connect Lite 1.0 Draft 10
- Implicit Grant
- grant_type: token id_token
- scope: openid mail profile address
- Session Management
- Check Session Endpoint
- Invalidate Session Endpoint (Connect Session Management)

- OpenID Connect Standard 1.0 Draft 02
- Authorization Code
- grant_type: code
*** currentlly we're working for following procedures ***
- scope: openid mail profile address
- user_info
- check session EP
*********************************************************

Sorry for your inconvenience, we don't have registration form.
Please use pre-configured client_id and client_secret.

client_id
http://devel.uni-id.info/oauth2_consumer
client_secret
client_secret
redirect_uri
anything(we set to whitelist to regexp"https?://.*"
authorize
http://devel.uni-id.info/nozomi_seam/script/oauth2/authz_req/endpoint.seam
token
http://devel.uni-id.info/nozomi_seam/script/oauth2/token_req/endpoint.seam
user_info
http://devel.uni-id.info/nozomi_seam/script/oauth2/info_req/endpoint.seam
check_session
http://devel.uni-id.info/nozomi_seam/script/oauth2/check_session/endpoint.seam
end_session
http://devel.uni-id.info/nozomi_seam/script/oauth2/end_session/endpoint.seam

* RP (Just for checking my own IdP)
http://devel.uni-id.info/oauth2_consumer/

- OpenID Connect Lite 1.0 Draft 10
- Implicit Grant
- grant_type: token id_token
- scope: openid mail profile address
- Session Management
- Check Session Endpoint
- Invalidate Session Endpoint

- OpenID Connect Standard 1.0 Draft 02
- Authorization Code
- grant_type: code

@kthrtty

[Andreas Åkre Solberg]

On 8. sep.2011, at 14:27, nov matake wrote:

As Nat mentioned, my OP is here.

https://connect-op.heroku.com/

Excellent, Nov. 

My first impression is that your implementation seems solid and professional.

On this OP, you can make account using your Facebook / Google account.

When using Google account, this site is also a Connect RP against Google's Connect OP.

Do you have an URL for documentation on googles connect OP?

Once signed-up, you can register your OAuth client (= Connect RP Client) by clicking "Register New Client" link on dashboard.

This worked perfectly!

In this configuration, you can all configuration info needed for Basic Client.

(Dynamic client registration is not ready for interop yet though)

Right, I realized that. The endpoint seem to complain about the uri missing, even if it is provided.

I have one request, though :)

The testing utilities that we are implementing will be running in a simulated user agent. (there are several reasons for that). This means that going through the login process needs to be implemented in the test utility as well. I have some issues to get the utility through the google login process; among other problems I've enabled 2-factor authentication on my user.  What would be very useful for the test utility would be if you offered a simpler login option, with a simple login page and a demo user; or may be a link that logs the user in automatically (as a test user).

Kind regards,

Andreas

[Tatsuya KATSUHARA]

Sorry! I'd forgotten to post essential information.

If you're redirected to IdP, you'll see ID/PW form.
Please put rule-based ID/PW into it.

ID: {hogehoge}
PW: {hogehoge}pass

ex. test/testpass, alice/alicepass

Regards

@kthrtty
@kumauta

(2011/09/09 17:38), Tatsuya KATSUHARA wrote:
> Hello all.
>
>
> NRI Tokyo's Implementation is as follows:
>
> * OP
> - OpenID Connect Lite 1.0 Draft 10
> - Implicit Grant
> - grant_type: token id_token
> - scope: openid mail profile address
> - Session Management
> - Check Session Endpoint
> - Invalidate Session Endpoint (Connect Session Management)
>
> - OpenID Connect Standard 1.0 Draft 02
> - Authorization Code
> - grant_type: code

> *** currentlly we're working for following features ***

> - scope: openid mail profile address
> - user_info
> - check session EP
> *********************************************************
>
> Sorry for your inconvenience, we don't have registration form.

> Please use pre-configured client_id and client_secret values.

>
> client_id
> http://devel.uni-id.info/oauth2_consumer
> client_secret
> client_secret
> redirect_uri

> anything(we set whitelist to regexp"https?://.*"

--
勝原 達也 <Tatsuya KATSUHARA>

株式会社 野村総合研究所 DIソリューション事業部
〒105-7113 東京都港区東新橋1-5-2 汐留シティセンター13F
TEL:+81-3-6274-1445 FAX:+81-3-6274-1547
PGP Key FP: 2E04 7D79 5C74 6945 CEAE 64D0 70B9 780E 1583 E0BC

このメールには、本来の宛先の方のみに限定された機密情報が含まれている場
合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメー
ルを削除してくださいますようお願い申し上げます。
PLEASE READ：This e-mail is confidential and intended for the named re
cipient only. If you are not an intended recipient, please notify the
sender and delete this e-mail.

[Andreas Åkre Solberg]

On 9. sep.2011, at 13:02, Tatsuya KATSUHARA wrote:

Sorry! I'd forgotten to post essential information.

If you're redirected to IdP, you'll see ID/PW form.
Please put rule-based ID/PW into it.

ID: {hogehoge}
PW: {hogehoge}pass

ex. test/testpass, alice/alicepass

Thanks.

First attempt:

* The authorization request is accepted. Testing only 'code' in this case.

* I get the login page, and can successfully login

* I'm receiving a code in response.

Then when I am contacting the token endpoint, I get an unsupported grant type error. I assume 'code' should be an accpeted grant type?

Kind regards,

Andreas

Performing a raw request to: http://devel.uni-id.info/nozomi_seam/script/oauth2/token_req/endpoint.seam

Host: devel.uni-id.info
Path: /nozomi_seam/script/oauth2/token_req/endpoint.seam
Port: 80

POST /nozomi_seam/script/oauth2/token_req/endpoint.seam HTTP/1.1

Authorization: Basic aHR0cDovL2RldmVsLnVuaS1pZC5pbmZvL29hdXRoMl9jb25zdW1lcjpjbGllbnRfc2VjcmV0

Cookie: JSESSIONID=C81D28A03956B6B69D20A4D45A9CB68F

Host: devel.uni-id.info

Content-Type: application/x-www-form-urlencoded

Content-Length: 98

Connection: keep-alive

client_id=http%3A%2F%2Fdevel.uni-id.info%2Foauth2_consumer&grant_type=code&code=8670gpN2QnpIowyp

---«‹ HTTP RESPONSE ‹«---

STATUS: 400

Response headers: 

{ date: 'Fri, 09 Sep 2011 11:14:12 GMT',

  'x-powered-by': 'Servlet 2.5; JBoss-5.0/JBossWeb-2.1, JSF/1.2',

  'content-type': 'application/json',

  'content-length': '34',

  connection: 'close' }

-------------------------

 

body:

{"error":"unsupported_grant_type"}

[Tatsuya KATSUHARA]

Our OAuth2.0 implimentation complies with OAuth2.0 Draft 16...
So you should specifies "authorization_code" as "grant_type" param.

I checked OAuth2.0 DR 21, and got same specification.

Please try it!

Regards.

[Andreas Åkre Solberg]

On 9. sep.2011, at 13:40, Tatsuya KATSUHARA wrote:

Our OAuth2.0 implimentation complies with OAuth2.0 Draft 16...
So you should specifies "authorization_code" as "grant_type" param.

I checked OAuth2.0 DR 21, and got same specification.

Please try it!

You are right. Don't know where I got the "code" from. At least it was wrong.

I'm getting another error this time:

POST /nozomi_seam/script/oauth2/token_req/endpoint.seam HTTP/1.1
Authorization: Basic aHR0cDovL2RldmVsLnVuaS1pZC5pbmZvL29hdXRoMl9jb25zdW1lcjpjbGllbnRfc2VjcmV0

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3
Cookie: JSESSIONID=7579EBA30413E39E873F5D44FD5AD210
Host: devel.uni-id.info
Content-Type: application/x-www-form-urlencoded
Content-Length: 177
Connection: keep-alive

client_id=http%3A%2F%2Fdevel.uni-id.info%2Foauth2_consumer&redirect_uri=https%3A%2F%2Fopenidconnect.rnd.feide.no%2Fcallback&grant_type=authorization_code&code=RQHko96GjDKSrN0Z

---«‹ HTTP RESPONSE ‹«---
STATUS: 400
Response headers: 

{ date: 'Fri, 09 Sep 2011 11:47:21 GMT',

  'x-powered-by': 'Servlet 2.5; JBoss-5.0/JBossWeb-2.1, JSF/1.2',
  'content-type': 'application/json',

  'content-length': '27',
  connection: 'close' }
-------------------------

{"error":"invalid_request"}

[Andreas Åkre Solberg]

On 8. sep.2011, at 11:15, Nat Sakimura wrote:

Also, Ryo Ito (another WG member, an ex-Yahoo! Japan guy) has an implementation: 

OP: https://openidconnect.info/

Great. I'd be happy to test this as well.

Ryo, are you on the list? The endpoints is listed on the web site, but I assume I need to register id, secret and redirect uri… You may add the redirect_uri; https://openidconnect.rnd.feide.no/callback

Andreas

[Tatsuya KATSUHARA]

I guess...

Requesting access token, OAuth2 client must send two
parameters(client_id and client_secret).

Best.

[nov matake]

Hi, Andreas

On this OP, you can make account using your Facebook / Google account.

When using Google account, this site is also a Connect RP against Google's Connect OP.

Do you have an URL for documentation on googles connect OP?

I registered OAuth2 client here.

http://code.google.com/intl/ja-JP/apis/accounts/docs/OAuth2.html#Registering

And got required information here. (endpoint, scope etc)

http://oauthssodemo.appspot.com/step/1

What would be very useful for the test utility would be if you offered a simpler login option, with a simple login page and a demo user; or may be a link that logs the user in automatically (as a test user).

I see.

I'll ping you when this functionality becomes ready.

Thanks,

nov

[nov matake]

OK, now you should have "Create Fake Account" button on top page.

You can also make a POST request to "https://connect-op.heroku.com/connect/fake".

No params are required for fake account registration, all attributes are hard-coded for them.

[Andreas Åkre Solberg]

On 9. sep.2011, at 14:38, Tatsuya KATSUHARA wrote:

I guess...

Requesting access token, OAuth2 client must send two
parameters(client_id and client_secret).

Ah, I see. According to OAuth http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-2.3.1

the reccomended way of performing authentication would be with HTTP Basic Auth:

Including the client credentials in the request body using the two

   parameters is NOT RECOMMENDED, and should be limited to clients

   unable to directly utilize the HTTP Basic authentication scheme (or

   other password-based HTTP authentication schemes).

I tried to add the client_secret parameter to the request on the token endpoint, but I got the same error. May be your logs reveal what the provider does not like about the request?

POST /nozomi_seam/script/oauth2/token_req/endpoint.seam HTTP/1.1

Cookie: JSESSIONID=3180839191DF06EE6F8FCD42CA9B130A

Host: devel.uni-id.info

Content-Type: application/x-www-form-urlencoded

Content-Length: 205

Connection: keep-alive

client_id=http%3A%2F%2Fdevel.uni-id.info%2Foauth2_consumer&client_secret=client_secret&redirect_uri=https%3A%2F%2Fopenidconnect.rnd.feide.no%2Fcallback&grant_type=authorization_code&code=cusK8SUPZy6iLmdi

-------------------

 

---«‹ HTTP RESPONSE ‹«---

STATUS: 401

Response headers: 

{ date: 'Sat, 10 Sep 2011 17:17:26 GMT',

[nov matake]

Nat,

Are Ryo in this ML?

I couldn't see the members list of this ML.

[Andreas Åkre Solberg]

On 10. sep.2011, at 19:22, Andreas Åkre Solberg wrote:

I tried to add the client_secret parameter to the request on the token endpoint, but I got the same error. May be your logs reveal what the provider does not like about the request?

Forget about this error, I found an error in my http post function. I now got the access token. I'll report more details later.

Andreas

[nov matake]

Hi Edmund and Nat,

I'm trying to connect my RP with Edmund's OP.
I found almost all required info here.
https://connect.openid4.us/.well-known/openid-configuration

But I couldn't find how to register my client to your OP.
Can you tell me the way?

[Edmund Jay]

Nov,

The client registration page is currently protected.
You can use a guest client account for now.

client_id : guest_client
client_secret : g6bfd1618ddc3c4fc8b1z01nb45Y752

The endpoints are :
Authorization : https://connect.openid4.us/abop/op.php/auth
Token : https://connect.openid4.us/abop/op.php/token
Userinfo : https://connect.openid4.us/abop/op.php/userinfo
Check Session : https://connect.openid4.us/abop/op.php/checksession



- Edmund

---

From: nov matake <n...@matake.jp>
To: OpenID Connect Interop <openid-conn...@googlegroups.com>
Sent: Sat, September 10, 2011 12:08:38 PM
Subject: Re: Call for other implementations to test against

[Ryo]

Hi Andreas

I added fake account option(like NOV's OP) and registed your RP info.

===

application_name : Andreas's RP

client_id : 2fb32f22c479aff3f8bcb42a058dba226e5a8fc1

client_secret : 238c5934982cf1e37a1bbb1c27f2e8d72be59092

===

My OP's configration is here

https://openidconnect.info/.well-known/openid-configuration

Thanks.

Ryo