FAPI RP: Improve description etc of invalid secondary aud test

The test technically does two things wrong, so make that clear, update an invalid spec ref, change the error message, rename the condition that adds the second aud a little.
openid-certification · Nov 21, 2021 · eb0b1a8 · eb0b1a8
1 parent 606d88d
commit eb0b1a8
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 12 deletions.
diff --git a/...dition/as/AddSecondAudValueToIdToken.java → .../AddUntrustedSecondAudValueToIdToken.java b/...dition/as/AddSecondAudValueToIdToken.java → .../AddUntrustedSecondAudValueToIdToken.java
@@ -7,7 +7,7 @@
 import net.openid.conformance.condition.PreEnvironment;
 import net.openid.conformance.testmodule.Environment;
 
-public class AddSecondAudValueToIdToken extends AbstractCondition {
+public class AddUntrustedSecondAudValueToIdToken extends AbstractCondition {
 
 	@Override
 	@PreEnvironment(required = "id_token_claims")

diff --git a/...penid/conformance/fapi1advancedfinal/FAPI1AdvancedFinalClientTestInvalidSecondaryAud.java b/...penid/conformance/fapi1advancedfinal/FAPI1AdvancedFinalClientTestInvalidSecondaryAud.java
@@ -1,13 +1,12 @@
 package net.openid.conformance.fapi1advancedfinal;
 
-import net.openid.conformance.condition.as.AddSecondAudValueToIdToken;
+import net.openid.conformance.condition.as.AddUntrustedSecondAudValueToIdToken;
 import net.openid.conformance.testmodule.PublishTestModule;
-import net.openid.conformance.testmodule.TestFailureException;
 
 @PublishTestModule(
 	testName = "fapi1-advanced-final-client-test-invalid-secondary-aud",
-	displayName = "FAPI1-Advanced-Final: client test - multiple aud values in id_token from authorization_endpoint, should be rejected",
-	summary = "This test should end with the client displaying an error message that there are multiple aud values in the id_token from the authorization_endpoint, and this behaviour is not expected",
+	displayName = "FAPI1-Advanced-Final: client test - untrusted aud value in id_token from authorization_endpoint, must be rejected",
+	summary = "This test issues an id_token where the 'aud' is an array which contains both the correct client_id and the id for a non-existent client. This test should end with the client displaying an error message that there is an untrusted aud value in the id_token from the authorization_endpoint, or that the 'azp' claim is missing.\n\nAs per OpenID Connect section 3.1.3.7 clause 3:\n\n'The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.'\n\n and clause 4:\n\n'If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.'",
 	profile = "FAPI1-Advanced-Final",
 	configurationFields = {
 		"server.jwks",
@@ -25,11 +24,11 @@ public class FAPI1AdvancedFinalClientTestInvalidSecondaryAud extends AbstractFAP
 	@Override
 	protected void addCustomValuesToIdToken() {
 
-		callAndStopOnFailure(AddSecondAudValueToIdToken.class, "OIDCC-3.1.3.7-8");
+		callAndStopOnFailure(AddUntrustedSecondAudValueToIdToken.class, "OIDCC-3.1.3.7-3");
 	}
 
 	@Override
 	protected String getIdTokenFaultErrorMessage() {
-		return "multiple aud values";
+		return "aud is an array that contains an untrusted value";
 	}
 }
diff --git a/src/main/java/net/openid/conformance/fapirwid2/FAPIRWID2ClientTestInvalidSecondaryAud.java b/src/main/java/net/openid/conformance/fapirwid2/FAPIRWID2ClientTestInvalidSecondaryAud.java
@@ -1,13 +1,13 @@
 package net.openid.conformance.fapirwid2;
 
-import net.openid.conformance.condition.as.AddSecondAudValueToIdToken;
+import net.openid.conformance.condition.as.AddUntrustedSecondAudValueToIdToken;
 import net.openid.conformance.testmodule.PublishTestModule;
 import net.openid.conformance.testmodule.TestFailureException;
 
 @PublishTestModule(
 	testName = "fapi-rw-id2-client-test-invalid-secondary-aud",
-	displayName = "FAPI-RW-ID2: client test - multiple aud values in id_token from authorization_endpoint, should be rejected",
-	summary = "This test should end with the client displaying an error message that there are multiple aud values in the id_token from the authorization_endpoint, and this behaviour is not expected",
+	displayName = "FAPI-RW-ID2: client test - untrusted aud value in id_token from authorization_endpoint, must be rejected",
+	summary = "This test issues an id_token where the 'aud' is an array which contains both the correct client_id and the id for a non-existent client. This test should end with the client displaying an error message that there is an untrusted aud value in the id_token from the authorization_endpoint, or that the 'azp' claim is missing.\n\nAs per OpenID Connect section 3.1.3.7 clause 3:\n\n'The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.'\n\n and clause 4:\n\n'If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.'",
 	profile = "FAPI-RW-ID2",
 	configurationFields = {
 		"server.jwks",
@@ -24,13 +24,13 @@ public class FAPIRWID2ClientTestInvalidSecondaryAud extends AbstractFAPIRWID2Cli
 	@Override
 	protected void addCustomValuesToIdToken() {
 
-		callAndStopOnFailure(AddSecondAudValueToIdToken.class, "OIDCC-3.1.3.7-8");
+		callAndStopOnFailure(AddUntrustedSecondAudValueToIdToken.class, "OIDCC-3.1.3.7-3");
 	}
 
 	@Override
 	protected Object authorizationCodeGrantType(String requestId) {
 
-		throw new TestFailureException(getId(), "Client has incorrectly called token_endpoint after receiving an id_token with multiple aud values from the authorization_endpoint.");
+		throw new TestFailureException(getId(), "Client has incorrectly called token_endpoint after receiving (from the authorization endpoint) an id_token where aud is an array that contains an untrusted value.");
 
 	}