feat: Client Initiated Backchannel Authentication (CIBA) and FAPI-CIB…

…A-ID1
emramir · May 24, 2021 · a217484 · a217484
1 parent 90965bb
commit a217484
Show file tree

Hide file tree

Showing 64 changed files with 1,789 additions and 229 deletions.
diff --git a/.eslintrc b/.eslintrc
@@ -4,6 +4,7 @@
   "rules": {
     "no-empty": ["error", { "allowEmptyCatch": true }],
     "no-underscore-dangle": ["error", { "allow": ["_claim_names", "_claim_sources", "_matchedRouteName"] }],
-    "import/order": ["error", { "groups": ["builtin", "external", "internal", "parent", "sibling", "index"], "newlines-between": "always" }]
+    "import/order": ["error", { "groups": ["builtin", "external", "internal", "parent", "sibling", "index"], "newlines-between": "always" }],
+    "symbol-description": ["off"]
   }
 }
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -191,6 +191,32 @@ jobs:
             fapi_profile: plain_fapi
             fapi_response_mode: jarm
 
+          # FAPI RW-CIBA-ID1
+          - plan: fapi-ciba-id1-test-plan
+            configuration: ./certification/fapi/pkjwt.json
+            client_auth_type: private_key_jwt
+            fapi_profile: plain_fapi
+            ciba_mode: poll
+            client_registration: dynamic_client
+          - plan: fapi-ciba-id1-test-plan
+            configuration: ./certification/fapi/pkjwt.json
+            client_auth_type: private_key_jwt
+            fapi_profile: plain_fapi
+            ciba_mode: ping
+            client_registration: dynamic_client
+          - plan: fapi-ciba-id1-test-plan
+            configuration: ./certification/fapi/mtls.json
+            client_auth_type: mtls
+            fapi_profile: plain_fapi
+            ciba_mode: poll
+            client_registration: dynamic_client
+          - plan: fapi-ciba-id1-test-plan
+            configuration: ./certification/fapi/mtls.json
+            client_auth_type: mtls
+            fapi_profile: plain_fapi
+            ciba_mode: ping
+            client_registration: dynamic_client
+
           # Extensive
           - plan: oidcc-test-plan
             client_registration: dynamic_client

diff --git a/README.md b/README.md
@@ -42,12 +42,14 @@ The following draft specifications are implemented by oidc-provider.
 - [JWT Response for OAuth Token Introspection - draft 10][jwt-introspection]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - Implementer's Draft 01][jarm]
 - [Financial-grade API - Part 2: Read and Write API Security Profile (FAPI) - Implementer's Draft 02][fapi]
+- [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
 - [OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 00][iss-auth-resp]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
 - [OAuth 2.0 JWT Secured Authorization Request (JAR) - draft 33][jar]
 - [OAuth 2.0 Pushed Authorization Requests (PAR) - draft 06][par]
-- [OpenID Connect RP-Initiated Logout 1.0 - draft 01][rpinitiated-logout]
 - [OpenID Connect Back-Channel Logout 1.0 - draft 06][backchannel-logout]
+- [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 (CIBA) - draft-03][ciba]
+- [OpenID Connect RP-Initiated Logout 1.0 - draft 01][rpinitiated-logout]
 
 Updates to draft specification versions are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -64,6 +66,7 @@ conforms to the following profiles of the OpenID Connect™ protocol
 - Back-Channel OP, RP-Initiated OP
 - FAPI R/W OP w/ MTLS, FAPI R/W OP w/ Private Key
 - FAPI R/W OP w/ MTLS PAR, FAPI R/W OP w/ Private Key PAR
+- FAPI-CIBA OP poll w/ MTLS, FAPI-CIBA OP poll w/ Private Key, FAPI-CIBA OP Ping w/ MTLS, FAPI-CIBA OP Ping w/ Private Key
 
 ## Sponsor
 
@@ -154,3 +157,5 @@ See the list of available emitted [event names](/docs/events.md) and their descr
 [rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
 [iss-auth-resp]: https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00
 [fapi]: https://openid.net/specs/openid-financial-api-part-2-ID2.html
+[ciba]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-03.html
+[fapi-ciba]: https://openid.net/specs/openid-financial-api-ciba-ID1.html
diff --git a/certification/fapi/index.js b/certification/fapi/index.js
@@ -10,7 +10,7 @@ const jose = require('jose2');
 const helmet = require('helmet');
 const pem = require('https-pem');
 
-const { Provider } = require('../../lib'); // require('oidc-provider');
+const { Provider, errors } = require('../../lib'); // require('oidc-provider');
 
 const OFFICIAL_CERTIFICATION = 'https://www.certification.openid.net';
 const { PORT = 3000, ISSUER = `http://localhost:${PORT}`, SUITE_BASE_URL = OFFICIAL_CERTIFICATION } = process.env;
@@ -107,6 +107,26 @@ const fapi = new Provider(ISSUER, {
   },
   clockTolerance: 5,
   features: {
+    ciba: {
+      enabled: true,
+      processLoginHint(ctx, loginHint) {
+        return loginHint;
+      },
+      verifyUserCode() {},
+      validateRequestContext() {},
+      triggerAuthenticationDevice(ctx, request, account, client) {
+        // TODO: remove when https://gitlab.com/openid/conformance-suite/-/issues/894 gets fixed
+        // eslint-disable-next-line eqeqeq
+        if (client.backchannelTokenDeliveryMode === 'ping' && ctx.oidc.params.requested_expiry == 30) {
+          setTimeout(() => {
+            client.backchannelPing(request);
+          }, +ctx.oidc.params.requested_expiry * 1000);
+        }
+      },
+      deliveryModes: ['poll', 'ping'],
+    },
+    registration: { enabled: true },
+    registrationManagement: { enabled: true },
     fapiRW: { enabled: true },
     mTLS: {
       enabled: true,
@@ -148,6 +168,15 @@ const fapi = new Provider(ISSUER, {
   },
 });
 
+const clientJwtAuthExpectedAudience = Object.getOwnPropertyDescriptor(fapi.OIDCContext.prototype, 'clientJwtAuthExpectedAudience').value;
+Object.defineProperty(fapi.OIDCContext.prototype, 'clientJwtAuthExpectedAudience', {
+  value() {
+    const acceptedAudiences = clientJwtAuthExpectedAudience.call(this);
+    acceptedAudiences.add(this.ctx.href);
+    return acceptedAudiences;
+  },
+});
+
 const orig = fapi.interactionResult;
 fapi.interactionResult = function patchedInteractionResult(...args) {
   if (args[2] && args[2].login) {
@@ -161,6 +190,40 @@ function uuid(e){return e?(e^randomBytes(1)[0]%16>>e/4).toString(16):([1e7]+-1e3
 
 const pHelmet = promisify(helmet());
 
+fapi.use(async (ctx, next) => {
+  if (ctx.path === '/ciba-sim') {
+    const { authReqId, action } = ctx.query;
+
+    const request = await fapi.BackchannelAuthenticationRequest.find(authReqId);
+
+    if (action === 'allow') {
+      const client = await fapi.Client.find(request.clientId);
+      const grant = new fapi.Grant({
+        client,
+        accountId: request.accountId,
+      });
+      grant.addOIDCScope(request.scope);
+      let claims = [];
+      if (request.claims.id_token) {
+        claims = claims.concat(Object.keys(request.claims.id_token));
+      }
+      if (request.claims.userinfo) {
+        claims = claims.concat(Object.keys(request.claims.userinfo));
+      }
+      grant.addOIDCClaims(claims);
+      await grant.save();
+      await fapi.backchannelResult(request, grant, { acr: 'urn:mace:incommon:iap:silver' }).catch(() => {});
+    } else {
+      await fapi.backchannelResult(request, new errors.AccessDenied('end-user cancelled request')).catch(() => {});
+    }
+
+    ctx.body = { done: true };
+    return undefined;
+  }
+
+  return next();
+});
+
 fapi.use(async (ctx, next) => {
   const origSecure = ctx.req.secure;
   ctx.req.secure = ctx.request.secure;
@@ -184,7 +247,7 @@ if (process.env.NODE_ENV === 'production') {
 
       switch (ctx.oidc && ctx.oidc.route) {
         case 'discovery': {
-          ['token', 'userinfo', 'pushed_authorization_request'].forEach((endpoint) => {
+          ['token', 'userinfo', 'pushed_authorization_request', 'backchannel_authentication'].forEach((endpoint) => {
             if (ctx.body[`${endpoint}_endpoint`].startsWith(ISSUER)) {
               ctx.body[`${endpoint}_endpoint`] = ctx.body[`${endpoint}_endpoint`].replace('https://', 'https://mtls.');
             }

diff --git a/certification/fapi/mtls.json b/certification/fapi/mtls.json
@@ -1,10 +1,12 @@
 {
     "alias": "oidc-provider",
+    "automated_ciba_approval_url": "https://fapi.panva.cz/ciba-sim?authReqId={auth_req_id}&action={action}",
     "server": {
         "discoveryUrl": "https://fapi.panva.cz/.well-known/openid-configuration"
     },
     "client": {
         "client_id": "mtls-one",
+        "client_name": "mtls-one",
         "scope": "openid offline_access",
         "jwks": {
             "keys": [
@@ -27,14 +29,17 @@
                     "x5t#S256": "E-TFTHXRZVsBSvZ5p5mc7ZZMle2Urpv9yr9PdGcOqXQ"
                 }
             ]
-        }
+        },
+        "hint_type": "login_hint",
+        "hint_value": "panva"
     },
     "mtls": {
         "cert": "-----BEGIN CERTIFICATE-----\nMIIC4DCCAcgCCQDuBF1vmG5mlDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJD\nWjEPMA0GA1UEBwwGUHJhZ3VlMRIwEAYDVQQDDAlwa210bHNvbmUwHhcNMTkwNjE4\nMTIzMTA2WhcNMjAwNjE3MTIzMTA2WjAyMQswCQYDVQQGEwJDWjEPMA0GA1UEBwwG\nUHJhZ3VlMRIwEAYDVQQDDAlwa210bHNvbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDEEnW885Hp+2Q7l+KCtKPOwfPIVOLKshgygWIAXC8z5TKnA1N9\nqbB2BvpDpWUKdXrYuBzWcNH/PHwrJvX42AHGeXCZJDSXzuRH934/fjMQHTFJquoP\n4rziUlRJfT+pwJcuvgxgGLI5xgzNqD7gZZp/9LVm5OdXU1poQviUel+hwV5eiT1r\n1fOe5LOiXkLwp3kBLlqGrtRPFIIa+20qkvnFh5ZcnRmOmm2vcAnI7OaNc2rSLHVb\nvkFuY8mMEx8rtthq0dQyyy1Ucudi3cLCI2x8Px0qQFUqWH4LgNaj7VZjlU1NPE8L\njsSPLasZsMsn0wt22fo+v5bJbaZ3N3QQqM0VAgMBAAEwDQYJKoZIhvcNAQELBQAD\nggEBAFGKYDieCWZ63Fx9jMhtlPlHUgkR6bmKqGwvZuVAe9Zz+sHvbVtTk/4AEOjS\nozksxf070O1PnK3zY0SuZynhKJnTaFouN45iMnnNQS6XMKd9Tm5WpSRbxfaOeuIZ\nybvOmNy0nuxkvqcE5fXIyr9bDCO9WEArQIQqjGJ93zKJpV2nT9Q7heTK430z7Hp3\n+XxwGXoKsLW/jebr3ryWTMEv8ouEbXeCz2OH6Oup8UIwXDyjYxwhwS5FAcRQdh4K\nnhHOLGYVAuVR3wPewtrTioYznFdfwtDHGd9fZVxrXPlVqCksj0CTnPf7UgXtjm2h\nTfkwHHtW2BegWR/q3+q9gs7uehc=\n-----END CERTIFICATE-----\n",
         "key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEEnW885Hp+2Q7\nl+KCtKPOwfPIVOLKshgygWIAXC8z5TKnA1N9qbB2BvpDpWUKdXrYuBzWcNH/PHwr\nJvX42AHGeXCZJDSXzuRH934/fjMQHTFJquoP4rziUlRJfT+pwJcuvgxgGLI5xgzN\nqD7gZZp/9LVm5OdXU1poQviUel+hwV5eiT1r1fOe5LOiXkLwp3kBLlqGrtRPFIIa\n+20qkvnFh5ZcnRmOmm2vcAnI7OaNc2rSLHVbvkFuY8mMEx8rtthq0dQyyy1Ucudi\n3cLCI2x8Px0qQFUqWH4LgNaj7VZjlU1NPE8LjsSPLasZsMsn0wt22fo+v5bJbaZ3\nN3QQqM0VAgMBAAECggEBAKrgF6Hrd9+9yhWxgaM9gIDhQO73I4tY+IOThHAh5rVI\nawNof6vFZdcGr7aiftNFnSEgG2m7exgAg4or8zPCNJHfJgUgq4Eduo8JnwoAlsnV\nVy4HeOMNTGXFMFW3hPMQt/DxieF5xGFbO69DkECJ68LV5f3dQcw2BVVWAEON/qf9\nUhgEnx79OdiCYzyoHjxaHoXk9cVTUtXwmU0lphRFT14W2Py0KZ5vA8JEefoZl/qE\no42iR0KB4eDj/LiduWAMKDLN/u0Dmq3WxLvw7LHnlqENTEY56Lw1sbMQlmvl0zCD\n68BeMz+Mvlm7VRSCxR+3uX6Nli3eb2EsYziZIlt00iUCgYEA4ZNvp0u6vXQAf7IG\nESuhu3u4cD6K8iJ6BT+O64yHJzc17e9lt+p89GasTtkgeEH/lr+XxScVBYndi/8v\naqsA47bkIoWVvcXq7C4jkv0bPelpaI/KPGfoZC1etR102+dS1ZufxzwSo64drw+H\nPuwaIkXvmpK4MBI9jEYoOHh9KR8CgYEA3oRU/iCWvKOGHlR9BmcBysVGmkvBwj8X\nLTJGfxJkm3M9utLSg0uNo7vW0Zm88KdzdeaRBt6ltZAG3hBL0mHNwC0hYRv5fzO7\nyczWFLPXbUNVqC5OLI+wTL7+ikx040lL9IRRtgub47+9IvxxaGaIRzsFwa+15D7T\nCE7K8BydH0sCgYEAivnkC2VL2tcyS3op5MBF95Vk77qIrl9xX/RloFfHGPEaB8q7\nl5EfhRAQzs9VAuJejsjhv7SxbeUfmtYQp55NgP44FdDJjc73SqWugyvvcbhxmdsl\nFQxLkBSnydwpGCav0Sz9RqmLLk7iuO1PPQQHoeAGm+wTEILcaqT6uLf7HK8CgYBO\nlloWLphOI0q454oIetTNMoNO9zaFThb3ZWw0cOCLblX853xl1oc9rpeeCzgJnnpO\nx5Gs5XGNAEMMpqDAur4aA1Zon6KsZC8MhIWPZjzNYByee0wsvMq9MC9h1MLrivWC\ndEEPlGYIN62q75F2F9BFp/jOgSoyZGXP51QRHWn4pQKBgCEy7GsS3sAj3GiTmCkV\nvR3gKSlSKmJULmI+8EoT6tzYhMvyqoCHPtll2DHzBeqA6Il2DKz+gFbKln2+LrPU\nrb2rgK9e8qdZH9X36Ws8u9YA/VasGQRUFIAcFcNWoBBX79nBQ/89zrPubaN2Rh9B\nKuUEGLKAzDf1JIzseUr8jdvw\n-----END PRIVATE KEY-----\n"
     },
     "client2": {
         "client_id": "mtls-two",
+        "client_name": "mtls-two",
         "scope": "openid offline_access",
         "jwks": {
             "keys": [
@@ -57,7 +62,8 @@
                     "x5t#S256": "B_QzvtQ9biL043xj_ADE7e9MUdWwbdAr3W3W7JHbK9c"
                 }
             ]
-        }
+        },
+        "acr_value": "urn:mace:incommon:iap:silver"
     },
     "mtls2": {
         "cert": "-----BEGIN CERTIFICATE-----\nMIIC4DCCAcgCCQDO8JBSH914NDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJD\nWjEPMA0GA1UEBwwGUHJhZ3VlMRIwEAYDVQQDDAlwa210bHN0d28wHhcNMTkwNjE4\nMTIzMjAxWhcNMjAwNjE3MTIzMjAxWjAyMQswCQYDVQQGEwJDWjEPMA0GA1UEBwwG\nUHJhZ3VlMRIwEAYDVQQDDAlwa210bHN0d28wggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDhqVAaMsvnCETzDtKwfKxZC1jwIOhIyUp8xp+2oN+pJwtqP0Up\nkLlTV7MD94HZSL3n3f9hsG6appRQGGAJ2ThOw1N9zlAr7Sk9YH6Gtu3bYSDvS6wa\nKjVoxGrrmLfyuoEbv3PDqMWuOjE3MT/G1nwUBgIEKYAr8hizY8dUE0Z2qWvKFZJj\n6etjCXEppjXuwlSusHWw/tj/ePMMxMAJMPPhzJeh6AL7iUKBisJysPuaWrS9ntdP\nxv9PS40sv6cZT4woxmE6tpTCkAxabXqA25SgJOyKOjnvg+BPNlrucLqHw3ErWrxY\nTL99cHqhexO6K4FaspW3+1kuWd3fY4Cm+zkTAgMBAAEwDQYJKoZIhvcNAQELBQAD\nggEBALsB6MGWke5vS1TB3Z+NJkC29bEIb3XGC9WaxRovH0jqaaua2AfAF7VZzUyW\nS/+r6hvWOtqUVy7YF1ThnEJXuXJG9ra2B2+F5RYNCtrVj6Bi+zDTSJ4IvQfrF0XB\nKwwOdRu7VJpAxvweA/3woKl6Cjfy20ZupPH9mxr1R78BMKgEtdFsiLwbB7MOdDbT\nLsrUcEcupXv+gZek22upQKrAk/XFP067KIqKmCEhDidxhP251SloUaruv9cHEx0a\nDKol9eR465FAiBLvg2N7qJHCKlWdn99SgN4Y3kINsuFR7Tj4QIJZNubOjV0YeOgn\nAWzRJlZD89KZAQgjj4Z215QeLxA=\n-----END CERTIFICATE-----\n",
@@ -218,6 +224,5 @@
                 }
             ]
         }
-    },
-    "description": "oidc-provider MTLS"
+    }
 }
diff --git a/certification/fapi/pkjwt.json b/certification/fapi/pkjwt.json
@@ -1,10 +1,12 @@
 {
     "alias": "oidc-provider",
+    "automated_ciba_approval_url": "https://fapi.panva.cz/ciba-sim?authReqId={auth_req_id}&action={action}",
     "server": {
         "discoveryUrl": "https://fapi.panva.cz/.well-known/openid-configuration"
     },
     "client": {
         "client_id": "pkjwt-one",
+        "client_name": "pkjwt-one",
         "scope": "openid offline_access",
         "jwks": {
             "keys": [
@@ -23,14 +25,17 @@
                     "use": "sig"
                 }
             ]
-        }
+        },
+        "hint_type": "login_hint",
+        "hint_value": "panva"
     },
     "mtls": {
         "cert": "-----BEGIN CERTIFICATE-----\nMIIC4DCCAcgCCQDuBF1vmG5mlDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJD\nWjEPMA0GA1UEBwwGUHJhZ3VlMRIwEAYDVQQDDAlwa210bHNvbmUwHhcNMTkwNjE4\nMTIzMTA2WhcNMjAwNjE3MTIzMTA2WjAyMQswCQYDVQQGEwJDWjEPMA0GA1UEBwwG\nUHJhZ3VlMRIwEAYDVQQDDAlwa210bHNvbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDEEnW885Hp+2Q7l+KCtKPOwfPIVOLKshgygWIAXC8z5TKnA1N9\nqbB2BvpDpWUKdXrYuBzWcNH/PHwrJvX42AHGeXCZJDSXzuRH934/fjMQHTFJquoP\n4rziUlRJfT+pwJcuvgxgGLI5xgzNqD7gZZp/9LVm5OdXU1poQviUel+hwV5eiT1r\n1fOe5LOiXkLwp3kBLlqGrtRPFIIa+20qkvnFh5ZcnRmOmm2vcAnI7OaNc2rSLHVb\nvkFuY8mMEx8rtthq0dQyyy1Ucudi3cLCI2x8Px0qQFUqWH4LgNaj7VZjlU1NPE8L\njsSPLasZsMsn0wt22fo+v5bJbaZ3N3QQqM0VAgMBAAEwDQYJKoZIhvcNAQELBQAD\nggEBAFGKYDieCWZ63Fx9jMhtlPlHUgkR6bmKqGwvZuVAe9Zz+sHvbVtTk/4AEOjS\nozksxf070O1PnK3zY0SuZynhKJnTaFouN45iMnnNQS6XMKd9Tm5WpSRbxfaOeuIZ\nybvOmNy0nuxkvqcE5fXIyr9bDCO9WEArQIQqjGJ93zKJpV2nT9Q7heTK430z7Hp3\n+XxwGXoKsLW/jebr3ryWTMEv8ouEbXeCz2OH6Oup8UIwXDyjYxwhwS5FAcRQdh4K\nnhHOLGYVAuVR3wPewtrTioYznFdfwtDHGd9fZVxrXPlVqCksj0CTnPf7UgXtjm2h\nTfkwHHtW2BegWR/q3+q9gs7uehc=\n-----END CERTIFICATE-----\n",
         "key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEEnW885Hp+2Q7\nl+KCtKPOwfPIVOLKshgygWIAXC8z5TKnA1N9qbB2BvpDpWUKdXrYuBzWcNH/PHwr\nJvX42AHGeXCZJDSXzuRH934/fjMQHTFJquoP4rziUlRJfT+pwJcuvgxgGLI5xgzN\nqD7gZZp/9LVm5OdXU1poQviUel+hwV5eiT1r1fOe5LOiXkLwp3kBLlqGrtRPFIIa\n+20qkvnFh5ZcnRmOmm2vcAnI7OaNc2rSLHVbvkFuY8mMEx8rtthq0dQyyy1Ucudi\n3cLCI2x8Px0qQFUqWH4LgNaj7VZjlU1NPE8LjsSPLasZsMsn0wt22fo+v5bJbaZ3\nN3QQqM0VAgMBAAECggEBAKrgF6Hrd9+9yhWxgaM9gIDhQO73I4tY+IOThHAh5rVI\nawNof6vFZdcGr7aiftNFnSEgG2m7exgAg4or8zPCNJHfJgUgq4Eduo8JnwoAlsnV\nVy4HeOMNTGXFMFW3hPMQt/DxieF5xGFbO69DkECJ68LV5f3dQcw2BVVWAEON/qf9\nUhgEnx79OdiCYzyoHjxaHoXk9cVTUtXwmU0lphRFT14W2Py0KZ5vA8JEefoZl/qE\no42iR0KB4eDj/LiduWAMKDLN/u0Dmq3WxLvw7LHnlqENTEY56Lw1sbMQlmvl0zCD\n68BeMz+Mvlm7VRSCxR+3uX6Nli3eb2EsYziZIlt00iUCgYEA4ZNvp0u6vXQAf7IG\nESuhu3u4cD6K8iJ6BT+O64yHJzc17e9lt+p89GasTtkgeEH/lr+XxScVBYndi/8v\naqsA47bkIoWVvcXq7C4jkv0bPelpaI/KPGfoZC1etR102+dS1ZufxzwSo64drw+H\nPuwaIkXvmpK4MBI9jEYoOHh9KR8CgYEA3oRU/iCWvKOGHlR9BmcBysVGmkvBwj8X\nLTJGfxJkm3M9utLSg0uNo7vW0Zm88KdzdeaRBt6ltZAG3hBL0mHNwC0hYRv5fzO7\nyczWFLPXbUNVqC5OLI+wTL7+ikx040lL9IRRtgub47+9IvxxaGaIRzsFwa+15D7T\nCE7K8BydH0sCgYEAivnkC2VL2tcyS3op5MBF95Vk77qIrl9xX/RloFfHGPEaB8q7\nl5EfhRAQzs9VAuJejsjhv7SxbeUfmtYQp55NgP44FdDJjc73SqWugyvvcbhxmdsl\nFQxLkBSnydwpGCav0Sz9RqmLLk7iuO1PPQQHoeAGm+wTEILcaqT6uLf7HK8CgYBO\nlloWLphOI0q454oIetTNMoNO9zaFThb3ZWw0cOCLblX853xl1oc9rpeeCzgJnnpO\nx5Gs5XGNAEMMpqDAur4aA1Zon6KsZC8MhIWPZjzNYByee0wsvMq9MC9h1MLrivWC\ndEEPlGYIN62q75F2F9BFp/jOgSoyZGXP51QRHWn4pQKBgCEy7GsS3sAj3GiTmCkV\nvR3gKSlSKmJULmI+8EoT6tzYhMvyqoCHPtll2DHzBeqA6Il2DKz+gFbKln2+LrPU\nrb2rgK9e8qdZH9X36Ws8u9YA/VasGQRUFIAcFcNWoBBX79nBQ/89zrPubaN2Rh9B\nKuUEGLKAzDf1JIzseUr8jdvw\n-----END PRIVATE KEY-----\n"
     },
     "client2": {
         "client_id": "pkjwt-two",
+        "client_name": "pkjwt-two",
         "scope": "openid offline_access",
         "jwks": {
             "keys": [
@@ -49,7 +54,8 @@
                     "use": "sig"
                 }
             ]
-        }
+        },
+        "acr_value": "urn:mace:incommon:iap:silver"
     },
     "mtls2": {
         "cert": "-----BEGIN CERTIFICATE-----\nMIIC4DCCAcgCCQDO8JBSH914NDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJD\nWjEPMA0GA1UEBwwGUHJhZ3VlMRIwEAYDVQQDDAlwa210bHN0d28wHhcNMTkwNjE4\nMTIzMjAxWhcNMjAwNjE3MTIzMjAxWjAyMQswCQYDVQQGEwJDWjEPMA0GA1UEBwwG\nUHJhZ3VlMRIwEAYDVQQDDAlwa210bHN0d28wggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDhqVAaMsvnCETzDtKwfKxZC1jwIOhIyUp8xp+2oN+pJwtqP0Up\nkLlTV7MD94HZSL3n3f9hsG6appRQGGAJ2ThOw1N9zlAr7Sk9YH6Gtu3bYSDvS6wa\nKjVoxGrrmLfyuoEbv3PDqMWuOjE3MT/G1nwUBgIEKYAr8hizY8dUE0Z2qWvKFZJj\n6etjCXEppjXuwlSusHWw/tj/ePMMxMAJMPPhzJeh6AL7iUKBisJysPuaWrS9ntdP\nxv9PS40sv6cZT4woxmE6tpTCkAxabXqA25SgJOyKOjnvg+BPNlrucLqHw3ErWrxY\nTL99cHqhexO6K4FaspW3+1kuWd3fY4Cm+zkTAgMBAAEwDQYJKoZIhvcNAQELBQAD\nggEBALsB6MGWke5vS1TB3Z+NJkC29bEIb3XGC9WaxRovH0jqaaua2AfAF7VZzUyW\nS/+r6hvWOtqUVy7YF1ThnEJXuXJG9ra2B2+F5RYNCtrVj6Bi+zDTSJ4IvQfrF0XB\nKwwOdRu7VJpAxvweA/3woKl6Cjfy20ZupPH9mxr1R78BMKgEtdFsiLwbB7MOdDbT\nLsrUcEcupXv+gZek22upQKrAk/XFP067KIqKmCEhDidxhP251SloUaruv9cHEx0a\nDKol9eR465FAiBLvg2N7qJHCKlWdn99SgN4Y3kINsuFR7Tj4QIJZNubOjV0YeOgn\nAWzRJlZD89KZAQgjj4Z215QeLxA=\n-----END CERTIFICATE-----\n",

diff --git a/certification/runner/index.js b/certification/runner/index.js
@@ -52,7 +52,10 @@ runner.createTestPlan({
   planName: PLAN_NAME,
   variant: VARIANT,
 }).then((plan) => {
-  const { id: PLAN_ID, modules: MODULES } = plan;
+  let { modules: MODULES } = plan;
+  const { id: PLAN_ID } = plan;
+
+  MODULES = MODULES.sort(() => Math.random() - 0.5);
 
   debug('Created test plan, new id %s', PLAN_ID);
   debug('%s/plan-detail.html?plan=%s', SUITE_BASE_URL, PLAN_ID);
@@ -96,7 +99,7 @@ runner.createTestPlan({
     if (configuration.alias) {
       parallel.limit(1);
     } else {
-      parallel.limit(5);
+      parallel.limit(10);
     }
   });