`code_challenge_methods_supported` not set for `fapi2-security-profile-id2-client-test-invalid-iss`
What did you do?
Ran the test fapi2-security-profile-id2-client-test-invalid-iss
for fapi2-security-profile-id2-client-test-plan
. The client requested .well-known/openid-configuration
.
What did you expect would happen?
The parameter code_challenge_methods_supported
should be set.
What did happen?
The parameter was not present.
{
"issuer": "https://www.certification.openid.net/test/a/test/",
"authorization_endpoint": "https://www.certification.openid.net/test/a/test/authorize",
"token_endpoint": "https://www.certification.openid.net/test/a/test/token",
"jwks_uri": "https://www.certification.openid.net/test/a/test/jwks",
"registration_endpoint": "https://www.certification.openid.net/test/a/test/register",
"userinfo_endpoint": "https://www.certification.openid.net/test/a/test/userinfo",
"mtls_endpoint_aliases": {
"token_endpoint": "https://www.certification.openid.net/test-mtls/a/test/token",
"registration_endpoint": "https://www.certification.openid.net/test-mtls/a/test/register",
"userinfo_endpoint": "https://www.certification.openid.net/test-mtls/a/test/userinfo",
"pushed_authorization_request_endpoint": "https://www.certification.openid.net/test-mtls/a/test/par"
},
"response_types_supported": [
"code"
],
"authorization_response_iss_parameter_supported": true,
"scopes_supported": [
"openid"
],
"id_token_signing_alg_values_supported": [
"ES256"
],
"dpop_signing_alg_values_supported": [
"PS256",
"ES256",
"EdDSA"
],
"token_endpoint_auth_methods_supported": [
"private_key_jwt"
],
"pushed_authorization_request_endpoint": "https://www.certification.openid.net/test/a/test/par",
"require_pushed_authorization_requests": true,
"token_endpoint_auth_signing_alg_values_supported": [
"PS256",
"ES256",
"EdDSA"
]
}
Please reference and quote any relevant OAuth2 / OpenID Connect / FAPI specification clauses that support your expectations
https://openid.net/specs/fapi-2_0-security-02.html#section-5.3.1.2
For the Authorization Code flow, Authorization servers [...] 5. shall require PKCE [RFC7636] with S256 as the code challenge method
If you believe a failure the conformance suite is reporting is not a valid failure, you MUST include a hyperlink for the exact section of the relevant specification that explains how the behaviour of your software is compliant, and you MUST include a quote of the exact clause/phrase you are relying on
If the problem relates to a test, please provide a link to the log-detail.html page on our server (the test result does NOT need to be 'published')
https://www.certification.openid.net/log-detail.html?log=8jfMRdhbNwf5E59