The test description files are JSON documents. Each of these documents contains a JSON object with a set of keys and values. The possible keys are:
These will be described one by one below.
Lists the assertions that are performed after a test has completed.
A example is:
"assert": { "verify-response": { "response_cls": [ "OpenIDSchema" ] } }
The interpretation of this is that the assertion with the identifier
verify-response will be executed with the argumentresponse_cls="OpenDISchema"
If a test run reaches the end of the request sequence the assertion checks are run one after the other.
When some assertion checks fails that is registered as an Error, for some other checks a failure is logged as a Warning. And then there are a few where how a failure is interpreted is configurable.
To get the result of the whole test run the results of the assertion checks are added together. Such that if there is one or more Error failures then the result of the test is an Error. If there is no Error failures but at least on Warning failure then the result is a Warning. If no failures are encountered that is logged as a Success.
A human readable description of what the test is trying to accomplish.
Which group the test belongs to. When the tests are presented to the tester tests belonging to the same group are listed together under the group header.
Present list of used groups:
In some case the test tool needs to pass information to the tester. This is where that information is stored.
Links to parts of the OpenID Connect and accompanying standards that are tested by the test.
The complete flow of a test. This consists of a number of requests.
Before a request is issued the arguments fo the request may be set to specific values. Also before a request is sent a check my be performed to figure out if there is any meaning to send the request. One reason for it not to be so would be that the OP does not support the functionality that is under test.
An simple example of a sequence:
"sequence": [ { "Webfinger": { "set_webfinger_resource": null } }, { "Discovery": { "set_discovery_issuer": null } } ]
This sequence contains 2 requests, the first being a Webfinger request and the second a discovery request. Before the webfinger request is sent, the webfinger resource is specified by the set_webfinger_resource function. Similarly, before the discovery request is sent the issuer is collected using the set_discovery_issuer function.
Note: If webfinger is not supported then that request is not
sent.
The same goes for discovery. Which means that running this test when not
supporting dynamic discovery is useless.
A slightly more complex sequence:
"sequence": [ { "Webfinger": { "set_webfinger_resource": null } }, { "Discovery": { "set_discovery_issuer": null } }, "Registration", { "AsyncAuthn": { "set_response_where": null } }, { "AccessToken": { "conditional_execution": { "return_type": [ "CIT", "CI", "C", "CT" ] } } }, { "UserInfo": { "set_op_args": { "method": "POST", "authn_method": "token_in_message_body" } } } ]
This starts in the same way as the previous one. Webfinger, provider info discovery and client registration is performed if supported.
Then follows an Authorization, an Access token and finally an Userinfo request.
Note:The Access token request will only be performed if the response_type is one of "code", "code token", "code id_token" or "code id_token token".
Note: The Userinfo request will be formed as described in Section 2.2 of RFC6750
Specifies when the test can be used. This is connected to the test profiles.
Example:
"usage": { "sig": true, "register": true, "extra": true }
This specific test will be included if the tester has specified that extra tests should be used and the OpenID provider that is being tested supports dynamic registration and signature creation/verification.
The complete set of usage demands are:
Mandatory to implement NOT USED
Claims request with essential name claim
JSON description | OP-claims-essential |
In-flow checks |
|
Assertions | verify-claims check-http-response |
Group | claims Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Access token request with client_secret_basic authentication
JSON description | OP-ClientAuth-Basic-Dynamic |
In-flow checks |
|
Assertions | verify-response |
Group | Client Authentication |
Return Types | Code Code IDtoken Code IDToken Token Code Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Access token request with client_secret_basic authentication
JSON description | OP-ClientAuth-Basic-Static |
In-flow checks |
|
Assertions | verify-response |
Group | Client Authentication |
Return Types | Code Code IDtoken Code IDToken Token Code Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Access token request with client_secret_post authentication
JSON description | OP-ClientAuth-SecretPost-Dynamic |
In-flow checks |
|
Assertions | verify-response |
Group | Client Authentication |
Return Types | Code Code IDtoken Code IDToken Token Code Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Access token request with client_secret_post authentication
JSON description | OP-ClientAuth-SecretPost-Static |
In-flow checks |
|
Assertions | verify-response |
Group | Client Authentication |
Return Types | Code Code IDtoken Code IDToken Token Code Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that claims_supported is published
JSON description | OP-Discovery-claims_supported |
In-flow checks |
|
Assertions | providerinfo-has-claims_supported check-http-response |
Group | Discovery |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Publishes openid-configuration discovery information
JSON description | OP-Discovery-Config |
In-flow checks |
|
Assertions | check-http-response verify-op-endpoints-use-https verify-https-usage verify-id_token_signing-algorithm-is-supported |
Group | Discovery |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Keys in OP JWKs well formed
JSON description | OP-Discovery-JWKs |
In-flow checks |
|
Assertions | check-http-response verify-base64url |
Group | Discovery |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata https://tools.ietf.org/html/rfc7517#section-5 |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that jwks_uri is published
JSON description | OP-Discovery-jwks_uri |
In-flow checks |
|
Assertions | bare-keys providerinfo-has-jwks_uri check-http-response |
Group | Discovery |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with display=page
JSON description | OP-display-page |
In-flow checks |
|
Assertions | verify-response |
Group | display Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | To make sure you get a login page, please remove any cookies you may have received from the OpenID Provider before proceeding. You should get a normal user agent login page view. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with display=popup
JSON description | OP-display-popup |
In-flow checks |
|
Assertions | verify-response |
Group | display Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | To make sure you get a login page, please remove any cookies you may have received from the OpenID Provider before proceeding. You should get a popup user agent login window. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
ID Token has at_hash when ID Token and Access Token are returned from the Authorization Endpoint
JSON description | OP-IDToken-at_hash |
In-flow checks |
|
Assertions | verify-authn-response |
Group | ID Token |
Return Types | IDToken Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#IDToken https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Does the OP sign the ID Token and with what
JSON description | OP-IDToken-C-Signature |
In-flow checks |
|
Assertions | verify-response is-idtoken-signed |
Group | ID Token |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#IDToken |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
ID Token has c_hash when ID Token and Authorization Code returned from Authorization Endpoint [Hybrid]
JSON description | OP-IDToken-c_hash |
In-flow checks |
|
Assertions | verify-authn-response |
Group | ID Token |
Return Types | Code IDtoken Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#IDToken https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
IDToken has kid [Basic, Implicit, Hybrid]
JSON description | OP-IDToken-kid |
In-flow checks |
|
Assertions | verify-response verify-signed-idtoken-has-kid |
Group | ID Token |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#Signing |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Unsecured ID Token signature with null [Basic]
JSON description | OP-IDToken-none |
In-flow checks |
|
Assertions | unsigned-idtoken verify-response |
Group | ID Token |
Return Types | Code Code Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#IDToken |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Asymmetric ID Token signature with RS256
JSON description | OP-IDToken-RS256 |
In-flow checks |
|
Assertions | verify-idtoken-is-signed verify-response |
Group | ID Token |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#Signing https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
ID Token has nonce when requested for code flow
JSON description | OP-nonce-code |
In-flow checks |
|
Assertions | verify-nonce verify-response |
Group | nonce Request Parameter |
Return Types | Code |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest https://openid.net/specs/openid-connect-core-1_0.html#IDToken |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with nonce, verifies it was returned in ID Token [Implicit, Hybrid]
JSON description | OP-nonce-noncode |
In-flow checks |
|
Assertions | check-idtoken-nonce verify-response |
Group | nonce Request Parameter |
Return Types | IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest https://openid.net/specs/openid-connect-core-1_0.html#IDToken |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Login no nonce, code flow [Basic]
JSON description | OP-nonce-NoReq-code |
In-flow checks |
|
Assertions | verify-response |
Group | nonce Request Parameter |
Return Types | Code |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Reject requests without nonce unless using the 'code' or 'code token' flow
JSON description | OP-nonce-NoReq-noncode |
In-flow checks |
|
Assertions | verify-response |
Group | nonce Request Parameter |
Return Types | IDToken IDToken Token Code IDtoken Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest https://openid.net/specs/openid-connect-core-1_0.html#IDToken |
Note | There are two acceptable outcomes: (1) returning an error response to the RP or (2) returning an error message to the End-User. In case (2), you must submit a screen shot of the error shown as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Trying to use authorization code twice should result in an error
JSON description | OP-OAuth-2nd |
In-flow checks |
|
Assertions | check-http-error-response verify-response |
Group | OAuth behaviors |
Return Types | Code Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-4.1.2 |
Note | This test should result in the OpenID Provider returning an error message. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Trying to use authorization code twice with 30 seconds in between uses must result in an error
JSON description | OP-OAuth-2nd-30s |
In-flow checks |
|
Assertions | check-http-error-response verify-response |
Group | OAuth behaviors |
Return Types | Code Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-4.1.2 |
Note | A 30 second delay is added between the first and the second use of the authorization code. This test should result in the OpenID Provider returning an error message. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Trying to use authorization code twice should result in revoking previously issued access tokens
JSON description | OP-OAuth-2nd-Revokes |
In-flow checks |
|
Assertions | verify-response |
Group | OAuth behaviors |
Return Types | Code Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-4.1.2 |
Note | This test should result in the OpenID Provider returning an error message after the userinfo endpoint is accessed with a revoked access token. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with prompt=login
JSON description | OP-prompt-login |
In-flow checks |
|
Assertions | multiple-sign-on verify-response |
Group | prompt Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | You should be prompted to authenticate or re-authenticate. Please submit a screen shot of any authentication user interaction that occurred as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with prompt=none when logged in [Basic, Implicit, Hybrid]
JSON description | OP-prompt-none-LoggedIn |
In-flow checks |
|
Assertions | same-authn verify-response |
Group | prompt Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with prompt=none when not logged in
JSON description | OP-prompt-none-NotLoggedIn |
In-flow checks |
|
Assertions | verify-error-response |
Group | prompt Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | This tests what happens if the authentication request specifies that no interaction may occur with the End-User and no recent enough authentication is present to enable a silent login. Please remove any cookies you may have received from the OpenID Provider before proceeding. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Reject request without redirect_uri when multiple registered
JSON description | OP-redirect_uri-Missing |
In-flow checks |
|
Assertions | verify-response |
Group | redirect_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | This test should result in the OpenID Provider displaying an error message in your user agent. You should ignore the status of this test in the test tool, since it will be incomplete. You must submit a screen shot of the error shown as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Sent redirect_uri does not match a registered redirect_uri
JSON description | OP-redirect_uri-NotReg |
In-flow checks |
|
Assertions | verify-response |
Group | redirect_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | This test should result in the OpenID Provider displaying an error message in your user agent. You should ignore the status of this test in the test tool, since it will be incomplete. You must submit a screen shot of the error shown as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with redirect_uri with query component when registered redirect_uri has no query component
JSON description | OP-redirect_uri-Query-Added |
In-flow checks |
|
Assertions | verify-response |
Group | redirect_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-3.1.2 |
Note | This test should result in the OpenID Provider displaying an error message in your user agent. You should ignore the status of this test in the test tool, since it will be incomplete. You must submit a screen shot of the error shown as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Rejects redirect_uri when query parameter does not match what is registered
JSON description | OP-redirect_uri-Query-Mismatch |
In-flow checks |
|
Assertions | verify-response |
Group | redirect_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-3.1.2 |
Note | This test should result in the OpenID Provider displaying an error message in your user agent. You should ignore the status of this test in the test tool, since it will be incomplete. You must submit a screen shot of the error shown as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with a redirect_uri with a query component when a redirect_uri with the same query component is registered
JSON description | OP-redirect_uri-Query-OK |
In-flow checks |
|
Assertions | check-query-part verify-response |
Group | redirect_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-3.1.2 |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Reject registration where a redirect_uri has a fragment
JSON description | OP-redirect_uri-RegFrag |
In-flow checks |
|
Assertions | verify-error-response |
Group | redirect_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-3.1.2 |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Client registration request
JSON description | OP-Registration-Dynamic |
In-flow checks |
|
Assertions | check-http-response |
Group | Dynamic Client Registration |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that registration_endpoint is published
JSON description | OP-Registration-Endpoint |
In-flow checks |
|
Assertions | verify-op-has-registration-endpoint |
Group | Dynamic Client Registration |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Uses keys registered with jwks value
JSON description | OP-Registration-jwks |
In-flow checks |
|
Assertions | verify-response |
Group | Dynamic Client Registration |
Return Types | Code Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Uses keys registered with jwks_uri value
JSON description | OP-Registration-jwks_uri |
In-flow checks |
|
Assertions | verify-response |
Group | Dynamic Client Registration |
Return Types | Code Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Registration with logo_uri
JSON description | OP-Registration-logo_uri |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Dynamic Client Registration |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Note | This test verifies that an OP displays the RP's logo. To make sure you get a fresh login page, you need to remove any cookies you may have received from the OP before proceeding. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Registration with policy_uri
JSON description | OP-Registration-policy_uri |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Dynamic Client Registration |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Note | This test verifies that an OP displays a link to the RP's policy document. To make sure you get a fresh login page, you need to remove any cookies you may have received from the OP before proceeding. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Incorrect registration of sector_identifier_uri
JSON description | OP-Registration-Sector-Bad |
In-flow checks |
|
Assertions | |
Group | Dynamic Client Registration |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Registration with tos_uri
JSON description | OP-Registration-tos_uri |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Dynamic Client Registration |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Note | This test verifies that an OP displays a link to the RP's terms of service. To make sure you get a fresh login page, you need to remove any cookies you may have received from the OP before proceeding. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Providing acr_values
JSON description | OP-Req-acr_values |
In-flow checks |
|
Assertions | used-acr-value verify-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Providing claims_locales
JSON description | OP-Req-claims_locales |
In-flow checks |
|
Assertions | check-http-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts |
Note | This test requests that claims be returned using the specified locale(s). The use of this parameter in the request must not cause an error at the OP. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Using prompt=none with user hint through id_token_hint
JSON description | OP-Req-id_token_hint |
In-flow checks |
|
Assertions | same-authn verify-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Providing login_hint
JSON description | OP-Req-login_hint |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | Please remove any cookies you may have received from the OpenID Provider before proceeding. This test requests that you log in as a specific user, so a fresh login page is needed. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Requesting ID Token with max_age=1 seconds restriction
JSON description | OP-Req-max_age=1 |
In-flow checks |
|
Assertions | claims-check auth_time-check multiple-sign-on verify-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | Wait at least one second before proceeding so that the max_age=1 period expires. You should be prompted to authenticate or re-authenticate. Please submit a screen shot of any authentication user interaction that occurred as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Requesting ID Token with max_age=10000 seconds restriction
JSON description | OP-Req-max_age=10000 |
In-flow checks |
|
Assertions | claims-check same-authn auth_time-check verify-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with extra query component
JSON description | OP-Req-NotUnderstood |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-3.1.2 |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Providing ui_locales
JSON description | OP-Req-ui_locales |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Misc Request Parameters |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
Note | Please remove any cookies you may have received from the OpenID Provider before proceeding. You need to do this so you can check that the login page is displayed using one of the requested locales. The use of this parameter in the request must not cause an error at the OP. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Support request request parameter with unsigned request
JSON description | OP-request-Unsigned |
In-flow checks |
|
Assertions | authn-response-or-error |
Group | request Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RequestObject |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Support request_uri request parameter with signed request
JSON description | OP-request_uri-Sig |
In-flow checks |
|
Assertions | authn-response-or-error |
Group | request_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Support request_uri request parameter with signed request
JSON description | OP-request_uri-Sig-any |
In-flow checks |
|
Assertions | authn-response-or-error |
Group | request_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Support request_uri request parameter with unsigned request
JSON description | OP-request_uri-Unsigned |
In-flow checks |
|
Assertions | verify-response |
Group | request_uri Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_type=code
JSON description | OP-Response-code |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Response Type |
Return Types | Code |
Link to specification | https://tools.ietf.org/html/rfc6749#section-4.1.2 |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_type=code id_token
JSON description | OP-Response-code+id_token |
In-flow checks |
|
Assertions | verify-authn-response check-idtoken-nonce |
Group | Response Type |
Return Types | Code IDtoken |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_type=code id_token token
JSON description | OP-Response-code+id_token+token |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Response Type |
Return Types | Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_type=code token
JSON description | OP-Response-code+token |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Response Type |
Return Types | Code Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_mode=form_post
JSON description | OP-Response-form_post |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Response Mode |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
This tests that error responses are also returned by response_mode=form_post
JSON description | OP-Response-form_post-Error |
In-flow checks |
|
Assertions | verify-error-response |
Group | Response Mode |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode |
Note | This tests that error responses are also returned by response_mode=form_post by testing for a failed silent login with prompt=none. Please remove any cookies you may have received from the OpenID Provider before proceeding. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_type=id_token
JSON description | OP-Response-id_token |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Response Type |
Return Types | IDToken |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request with response_type=id_token token
JSON description | OP-Response-id_token+token |
In-flow checks |
|
Assertions | verify-authn-response |
Group | Response Type |
Return Types | IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Authorization request missing the response_type parameter
JSON description | OP-Response-Missing |
In-flow checks |
|
Assertions | verify-error-response |
Group | Response Type |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://tools.ietf.org/html/rfc6749#section-3.1.1 |
Note | There are two acceptable outcomes: (1) returning an error response to the RP or (2) returning an error message to the End-User. In case (2), you must submit a screen shot of the error shown as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Can rotate OP encryption keys
JSON description | OP-Rotation-OP-Enc |
In-flow checks |
|
Assertions | check-http-response new-encryption-keys |
Group | Key Rotation |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys |
Note | Please make your OP rotate its encryption keys now.If you are not able to cause the server to rotate the keys while running the test, then you will have to self-assert that your deployment can do OP encryption key rotation as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Can rotate OP signing keys
JSON description | OP-Rotation-OP-Sig |
In-flow checks |
|
Assertions | check-http-response new-signing-keys |
Group | Key Rotation |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys |
Note | Please make your OP rotate its signing keys now. If you are not able to cause the server to rotate the keys while running the test, then you will have to self-assert that your deployment can do OP signing key rotation as part of your certification application. |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Request access token, change RSA signing key and request another access token
JSON description | OP-Rotation-RP-Sig |
In-flow checks |
|
Assertions | check-http-response |
Group | Key Rotation |
Return Types | Code Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Scope requesting address claims
JSON description | OP-scope-address |
In-flow checks |
|
Assertions | verify-scopes check-http-response verify-response |
Group | scope Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Scope requesting all claims
JSON description | OP-scope-All |
In-flow checks |
|
Assertions | verify-scopes check-http-response verify-response |
Group | scope Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Scope requesting email claims
JSON description | OP-scope-email |
In-flow checks |
|
Assertions | verify-scopes check-http-response verify-response |
Group | scope Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Scope requesting phone claims
JSON description | OP-scope-phone |
In-flow checks |
|
Assertions | verify-scopes check-http-response verify-response |
Group | scope Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Scope requesting profile claims
JSON description | OP-scope-profile |
In-flow checks |
|
Assertions | verify-scopes check-http-response verify-response |
Group | scope Request Parameter |
Return Types | Code IDToken IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
UserInfo Endpoint access with POST and bearer body
JSON description | OP-UserInfo-Body |
In-flow checks |
|
Assertions | verify-response |
Group | Userinfo Endpoint |
Return Types | Code IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#UserInfo |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
UserInfo Endpoint access with GET and bearer header
JSON description | OP-UserInfo-Endpoint |
In-flow checks |
|
Assertions | verify-response |
Group | Userinfo Endpoint |
Return Types | Code IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
UserInfo Endpoint access with POST and bearer header
JSON description | OP-UserInfo-Header |
In-flow checks |
|
Assertions | verify-response |
Group | Userinfo Endpoint |
Return Types | Code IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
RP registers userinfo_signed_response_alg to signal that it wants signed UserInfo returned
JSON description | OP-UserInfo-RS256 |
In-flow checks |
|
Assertions | asym-signed-userinfo verify-response |
Group | Userinfo Endpoint |
Return Types | Code IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
RP registers userinfo_signed_response_alg to signal that it wants signed UserInfo returned
JSON description | OP-UserInfo-sig-any |
In-flow checks |
|
Assertions | verify-response |
Group | Userinfo Endpoint |
Return Types | Code IDToken Token Code IDtoken Code Token Code IDToken Token |
Link to specification | https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata |
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the UserInfo was signed with a RSA key
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Check that the auth_time returned in the ID Token is in the expected range.
Parameter description:
:param max_age: Maximum age of the id_token (in seconds) :type max_age: int :param skew: The allowed skew in seconds :type skew: int Example: "auth_time-check": { "max_age": 1, "skew": 600 }
Possible outcome: Warning
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks that the last response was a JSON encoded authentication or error message
Parameter description:
:param error: The expected error messages Example: "authn-response-or-error": { "error": [ "request_not_supported" ] }
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Dynamic OPs MUST publish their public keys as bare JWK keys
Possible outcome: Undefined
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks that an error code is either 400 or 401 which are the only ones accepted by OAuth2/OIDC.
Possible outcome: Warning
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks that the HTTP response status is within the 200 or 300 range. Also does some extra JSON checks
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that the nonce in the IDToken is the same that's included in the Authorization Request.
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Check that a query part send in the Authorization Request is returned in the Authorization response.
Parameter description:
:param kwargs: key-value pairs that should be present in the query part :type kwargs: dictionary Example: "check-query-part": { "foo": "bar" }
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks if specific claims is present or not
Parameter description:
:param id_token: Claims that should be present in the id_token :type id_token: list of strings :param required: If the claims are required :type required: boolean Example: "claims-check": { "required": true, "id_token": ["auth_time"] }
Possible outcome: Undefined
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks if the id_token is signed
Parameter description:
:param alg: Which algorithm that should have been used Example: "is-idtoken-signed": { "alg": "RS256" }
Possible outcome: Undefined
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that multiple authentications was used in the flow
Parameter description:
:param status: Status code returned on error :type status: integer (2=Warning, 3=Error) Example: "multiple-sign-on": { "status": 2 }
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that two set of encryption keys are not the same
Possible outcome: Warning
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that two set of signing keys are not the same
Possible outcome: Warning
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Check that the claims_supported discovery metadata value is in the provider_info
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Check that the jwks_uri discovery metadata value is in the provider_info
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the same authentication was used twice in the flow.
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that an IDToken is in fact unsigned, that is signed with the 'none' algorithm.
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
The acr value in the ID Token
Possible outcome: Undefined
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks that the last response was a JSON encoded authentication message
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the base64 encoded parts of a JWK is in fact base64url encoded and not just base64 encoded
Parameter description:
:param err_status: Which error status should be reported :type err_status: integer (2=Warning, 3=Error) Example: "verify-base64url": { "err_status": 3 }
Possible outcome: Undefined
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the claims returned as UserInfo or in the ID Token is consistent with what was asked for
Parameter description:
:param userinfo: Whether the method should look for the claims in the user info :param id_token: Whether the method should look for the claims in the id_token Example: "verify-claims": { "id_token": null }
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks that the last response was a JSON encoded error message
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that specific endpoints uses https
Parameter description:
:param endpoints: Which OP endpoints that should be checked :type endpoints: list of strings Example: "verify-https-usage": {"endpoints": ["initiate_login_uri"]}
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that required algorithms in id_token_signing_alg_values_supported
Parameter description:
:param algs: What algorithms :type algs: list of strings Example: "verify-id_token_signing-algorithm-is-supported": { "algs": ["RS256"]}
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that an ID Token is signed
Parameter description:
:param alg: Which signing algorithm that was expected :type alg: string Example: "verify-idtoken-is-signed": { "alg": "HS256" }
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the nonce received in the IDToken is the same as was given in the Authorization Request
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that all OP endpoints uses https
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verify that the OP has a registration endpoint
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Checks that the last response was one of a possible set of OpenID Connect Responses
Parameter description:
:param response_cls: Which responses the test tool has received :type response_cls: list of strings Example: "verify-response": { "response_cls": [ "AuthorizationResponse", "AccessTokenResponse" ] }
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the claims corresponding to the requested scopes are returned
Possible outcome: Warning
Java Implementation Status: Status TDB
Link to Java code: Link TBD
Verifies that the header of a signed IDToken includes a kid claim.
Possible outcome: Error
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"acr_value": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"check_config": { "login_hint": null }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"check_support": { WARNING: {"scopes_supported": ["phone"]} } "check_support": { ERROR: {"id_token_signing_alg_values_supported": null} }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"claims_locales": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"conditional_execution":{ "return_type": ["CIT","CI","C","CT"] }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"expect_exception": "RegistrationError"
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"id_token_hint": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"login_hint": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"multiple_return_uris": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"redirect_uri_with_query_component": { "foo": "bar" }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"redirect_uris_with_fragment": { "foo": "bar" }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"redirect_uris_with_query_component": { "foo": "bar" }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"register": [ "userinfo_signed_response_alg" ]
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"request_in_file": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_discovery_issuer": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_essential_arg_claim": "name"
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_expect_error": { "error": [ "invalid_grant", "access_denied" ], "stop": false }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_op_args": { "method": "GET", "authn_method": "bearer_header" } "set_op_args": { "request_object_signing_alg": "RS256", "request_method": "request" }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_redirect_uri": "authz_post"
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_redirect_uris": ["authz_post"]
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_request_args": { "claims": { "id_token": { "email": { "essential": true } } } } "set_request_args": { "scope": [ "openid", "offline_access" ], "prompt": "consent" }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_response_where": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_state": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_uri": [ "tos_uri", "static/tos.html" ]
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"set_webfinger_resource": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"static_jwk": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"store_sector_redirect_uris": { "other_uris": [ "https://example.com/op" ] }
Java Implementation Status: Status TDB
Link to Java code: Link TBD
"ui_locales": null
Java Implementation Status: Status TDB
Link to Java code: Link TBD