Conformance Testing for RPs
This is a historical page relating to the now-decommissioned old test suite – please see the current instructions.
This page describes how to run conformance tests and gather testing results for Relying Parties (RPs).
Determining which RP Conformance Profiles to Test
The first step in using the Relying Party library tests is to decide which RP conformance profiles you plan to test.
Most RPs will test the Basic RP profile and many will also test the Implicit RP and Hybrid RP profiles.
Most RPs will test the Config RP profile, which tests your ability to use OP configuration information from .well-known/openid-configuration endpoints.
Many RPs will also test the Dynamic RP profile, which tests your ability to dynamically register your RP with OPs. As a practical matter, given that the RP testing process uses a different OP path for each test, RP testing will be much easier if Dynamic Client Registration is used by the RP. Otherwise, manual registrations will have to be performed for each test.
The tests for each profile can be viewed at https://openid.net/certification/connect_rp_testing/ . The checkboxes on the page let you choose which Response Type or profile you want to see the test list for.
For example, when testing the Basic RP profile, after selecting the
code response type, the test with test ID “rp-response_type-code” and description “Can make request using response_type ‘code’” is one of the tests included.
NEW! Some RPs will choose to test the Form Post Response Mode with the Form Post RP profile. The form posts tests are currently displayed at https://openid.net/certification/connect_rp_testing/ for all response_type values.
Choosing Your Relying Party ID(s)
The RP testing tool uses a relying party ID string of your choosing as an index for keeping track of server-visible results for you. You should choose an RP ID string that contains a meaningful short name for your RP, consisting of only letters, numbers, dashes, underscores, and periods. For instance, the Apache OIDC RP module chose to use the RP ID string
Unless you’re only testing with the
code response type, it’s probably also useful to use a response type suffix on your RP ID, so that logs for different response_types are kept separate from one another. For instance, an example RP library named “myRP” might use these different relying party IDs during testing:
Test IDs, Issuers, and WebFinger
Each test has a unique test ID string. For instance, test IDs for the Basic profile include “rp-response_type-code” and “rp-id_token-bad-sig-rs256”.
An issuer value that identifies the test and your RP is used to run the test. It has the form:
For instance, the issuer used when testing the “code” response_type for the Apache OpenID Connect RP is:
If your RP supports WebFinger, you can look up the issuer for a test using either of these issuer identifier syntaxes:
Actual issuer identifier examples are:
Obtaining Configuration Information, Registering the RP, and Running the Test
Let ISSUER represent the issuer URL for a particular RP/test pair. The OP Configuration information for that pair is located at ISSUER/.well-known/openid-configuration, for example:
To run the test, first register the RP using the OP’s configuration information. The easiest way to do this is using OpenID Connect Dynamic Client Registration. Then perform an authentication, retrieve the UserInfo Endpoint contents, etc.
Note that for each test, it’s normal to (1) do a WebFinger lookup, (2) retrieve the OP configuration, (3) perform dynamic registration, (4) send an authentication request using the chosen response_type, and (5) process the authentication response. When preparing to submit a certification result, you’ll also (6) capture an RP log file and/or screen shot documenting how your RP handled the response.
Evaluating a Test Result
Each test description displayed from https://openid.net/certification/connect_rp_testing/ includes an “Expected result” section that describes what must happen when the test is run. For instance, the expected result for the test rp-id_token-bad-sig-rs256 (Rejects ID Token with invalid asymmetric ‘RS256’ signature) is “Identify the invalid signature and reject the ID Token after doing ID Token validation.” In this case the test passes only if the RP rejected the invalid ID Token signature returned by the test OP.
For each test, it is the responsibility of the tester to read and understand the expected result and determine whether the RP passed the test as described or not. This is because the RP test server typically doesn’t have enough information to determine whether the RP did the right thing with the information provided or not. In the rp-id_token-bad-sig-rs256 test, for instance, the tester should look for an error message produced by the RP saying that the ID Token signature was invalid. (When submitting certification results, a screen shot of the error produced would need to be included.) If the RP were to silently ignore the bad signature and proceed as if it was OK, then that would be an example of a failed result for that test.
Each test run will create a log entry at a path of the form:
An actual example server log entry path is:
The tester should also look at the log entry for the test and verify that no errors were identified by the test server and logged. For instance, were the RP to mistakenly not include the “scope” value in an authorization request, an error would be logged.
All test results for an RP can be viewed at a path of the form:
An actual example of such a set of test logs is:
More on Running Tests and Next Steps
Some profiles require you to run tests with multiple response_type values. The Implicit RP profile requires you to test both
id_token+token. The Hybrid RP profile requires you to test three combinations:
code+token. The RP will need to run these tests multiple times, using each of the required response_type values, to complete testing the profile. (Basic RP only requires you to test
response_type=code.) The Form Post RP profile requires you to run tests for all the response_type values supported by your implementation.
The Config and Dynamic profiles also are tested using
Certification of a profile requires that you have Success or Warning results for all tests in the profile. You cannot certify with any Failed results for the profile.
Third Party-Initiated Login RP Profile
A Third Party-Initiated Login RP test is now in production. This test is:
rp-3rd_party-init-login: Exposes a third-party initiated login endpoint that 3rd parties can use to start the SSO process. This test is initiated by the tester by accessing: https://<rp_test_host>:<rp_test_port>/rp/<rp_id>/rp-3rd_party-init-login/<client_id>. This will in its turn redirect the tester’s browser/client to the 3rd-party-init SSO endpoint of the RP which should then start the login towards the OP. The test is successful when an Authentication Request has been sent to the OP triggered by accessing the third-party initiated login URL.
Logout RP Profiles
NEW! Certification for RP deployments of logout functionality is currently in the pilot phase. Please test your logout implementations now!