Logout Conformance Testing for OpenID Connect OPs
This page describes how to run logout conformance tests for OpenID Providers (OPs).
Background
Logout functionality for OpenID Connect is defined in four specifications:
- OpenID Connect RP-Initiated Logout 1.0: Defines how a Relying Party requests that an OpenID Provider log out the End-User
- OpenID Connect Session Management 1.0: Defines RP-Initiated Logout functionality and iFrame-based Logout functionality
- OpenID Connect Front-Channel Logout 1.0: Defines a logout mechanism that uses front-channel communication via the User Agent between the OP and RPs being logged out
- OpenID Connect Back-Channel Logout 1.0: Defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out
Note that the RP-Initiated Logout mechanism is independent of the three mechanisms for communicating logout messages from OPs to RPs and can be used in combination with any of them. OP Logout Certification is therefore factored into four conformance profiles:
- RP-Initiated Logout OP: Tests OP logout initiated by an RP
- Session Management OP: Tests RP logout using iFrame-based messages from OPs to RPs
- Front-Channel Logout OP: Tests RP logout using User Agent-based Front-Channel logout messages from OPs to RPs
- Back-Channel Logout OP: Tests RP logout using Back-Channel logout messages from OPs to RPs
These are available in the suite as, respectively:
- OpenID Connect Core: Rp Initiated Logout Certification Profile Authorization server test
- OpenID Connect Core: Session Management Certification Profile Authorization server test
- OpenID Connect Core: Backchannel Rp Initiated Logout Certification Profile Authorization server test
- OpenID Connect Core: Frontchannel Rp Initiated Logout Certification Profile Authorization server test
A logout certification submission must support RP-Initiated Logout OP and one or more of the other three logout profiles.
The logout conformance profiles require you to submit test runs for all the response_type values supported by your implementation.
Running Tests
For general use of the suite, see OP testing instructions.
If you are not using Dynamic Client Registration, you will need to manually configure these values in your testing configuration. Substitute <ALIAS> for the unique alias you set in your test configuration.
- post_logout_redirect_uris: https://www.certification.openid.net/test/a/<ALIAS>/post_logout_redirect
- frontchannel_logout_uri: https://www.certification.openid.net/test/a/<ALIAS>/frontchannel_logout
- frontchannel_logout_session_required: true
- backchannel_logout_uri: https://www.certification.openid.net/test/a/<ALIAS>/backchannel_logout
- backchannel_logout_session_required: true
Submission of Results
Once you have finished testing, submit your results as described at Submission of Results for OPs. Note that separate submission files should be sent for each of the four logout conformance profiles supported by your implementation. As described above, a successful logout certification application will contain at least two and up to four submissions – one for each of the supported logout profiles.