ABCDEFGH
1
Conformance Feature InformationOP Conformance Profiles
2
Feature NameConformance Test NameTest IDBasisImplicitHybridConfigDynamic
3
Response Type & Response Mode
4
Support code response_typeRequest with response_type=codeOP-Response-codey
5
Support id_token response_typeRequest with response_type=id_tokenOP-Response-id_tokeny
6
Support id_token token response_typeRequest with response_type=id_token tokenOP-Response-id_token+tokeny
7
Support code id_token response_typeRequest with response_type=code id_tokenOP-Response-code+id_tokeny
8
Support code token response_typeRequest with response_type=code tokenOP-Response-code+tokeny
9
Support code id_token token response_typeRequest with response_type=code id_token tokenOP-Response-code+id_token+tokeny
10
Reject request without response_typeAuthorization request missing the response_type parameterOP-Response-Missingyyy
11
ID Token
12
ID Token has iss claimIdToken.verify()yyy
13
ID Token has sub claimIdToken.verify()yyy
14
ID Token has aud claimIdToken.verify()yyy
15
ID Token has iat claimIdToken.verify()yyy
16
Does the OP sign the ID Token and with whatDoes the OP sign the ID Token and with whatOP-IDToken-Signatureyyy
17
Asymmetric ID Token signature with RS256Asymmetric ID Token signature with RS256OP-IDToken-RS256y
18
ID Token has kid claimIDToken has kidOP-IDToken-kidyyy
19
Unsecured ID Token signature with noneUnsecured ID Token signature with noneOP-IDToken-noney if uses noney if uses noney if uses none
20
ID Token has at_hash when ID Token and Access Token returned from Authorization EndpointID Token has at_hash when ID Token and Access Token returned from Authorization EndpointOP-IDToken-at_hashyy
21
ID Token has c_hash when ID Token and Authorization Code returned from Authorization EndpointID Token has c_hash when ID Token and Authorization Code returned from Authorization EndpointOP-IDToken-c_hashy
22
UserInfo Endpoint
23
Has UserInfo EndpointUserInfo Endpoint access with GET and bearer headerOP-UserInfo-Endpointyyy
24
UserInfo Endpoint access with header methodUserInfo Endpoint access with POST and bearer headerOP-UserInfo-Headeryyy
25
UserInfo Endpoint access with form-encoded body methodUserInfo Endpoint access with POST and bearer bodyOP-UserInfo-BodyWarning if brokenWarning if brokenWarning if broken
26
UserInfo has sub claimOpenIDSchema.verify()yyy
27
Can provide signed UserInfo response with RS256RP registers userinfo_signed_response_alg to signal that it wants signed UserInfo returnedOP-UserInfo-RS256y
28
nonce Request Parameter
29
Support requests without nonce when using the code flowLogin no nonce, code flowOP-nonce-NoReq-codey
30
Reject requests without nonce unless using the code flowReject requests without nonce unless using the code flowOP-nonce-NoReq-noncodeyy
31
ID Token has nonce when requested for code flowID Token has nonce when requested for code flowOP-nonce-codey
32
ID Token has nonce when requested for non-code flowsRequest with nonce, verifies it was returned in ID TokenOP-nonce-noncodeyy
33
scope Request Parameter
34
Support openid scopeDoes the OP sign the ID Token and with whatOP-IDToken-Signatureno errno errno err
35
Support profile scopeScope requesting profile claimsOP-scope-profileno errno errno err
36
Support email scopeScope requesting email claimsOP-scope-emailno errno errno err
37
Support address scopeScope requesting address claimsOP-scope-addressno errno errno err
38
Support phone scopeScope requesting phone claimsOP-scope-phoneno errno errno err
39
Support scope value requesting all basic claimsScope requesting all claimsOP-scope-Allno errno errno err
40
display Request Parameter
41
Support display value pageRequest with display=pageOP-display-pageno errno errno err
42
Support display value popupRequest with display=popupOP-display-popupno errno errno err
43
prompt Request Parameter
44
Support prompt value loginRequest with prompt=loginOP-prompt-loginyyy
45
Support prompt value noneRequest with prompt=none when not logged inOP-prompt-none-NotLoggedInyyy
46
Support prompt value noneRequest with prompt=none when logged inOP-prompt-none-LoggedInyyy
47
Misc Request Parameters
48
Support max_age request parameterRequesting ID Token with max_age=1 seconds restrictionOP-Req-max_age=1yyy
49
ID Token has auth_time claim when max_age in requestRequesting ID Token with max_age=1 seconds restrictionOP-Req-max_age=1yyy
50
Support max_age request parameter when max age reachedRequesting ID Token with max_age=1 seconds restrictionOP-Req-max_age=1Warning if no promptWarning if no promptWarning if no prompt
51
Support max_age request parameter when max age not reachedRequesting ID Token with max_age=10000 seconds restrictionOP-Req-max_age=10000yyy
52
Ignores not understood query parameter in Authentication RequestRequest with extra query componentOP-Req-NotUnderstoodyyy
53
Support id_token_hint request parameterUsing prompt=none with user hint through id_token_hintOP-Req-id_token_hintSHOULDSHOULDSHOULD
54
Support login_hint request parameterProviding login_hintOP-Req-login_hintno errno errno err
55
Support ui_locales request parameterProviding ui_localesOP-Req-ui_localesno errno errno err
56
Support claims_locales request parameterProviding claims_localesOP-Req-claims_localesno errno errno err
57
Support acr_values request parameterProviding acr_valuesOP-Req-acr_valuesno errno errno err
58
OAuth Behaviors
59
OAuth state request value returned in responseVerifyState()yyy
60
Reject second use of Authorization CodeTrying to use authorization code twice should result in an errorOP-OAuth-2ndWarning if under 30sWarning if under 30s
61
Reject second use of Authorization Code after 30 secondsTrying to use authorization code twice with 30 seconds in between must result in an errorOP-OAuth-2nd-30sOAuth MUSTOAuth MUST
62
Second use of Authorization Code revokes previously issued Access TokenTrying to use authorization code twice should result in revoking previously issued access tokensOP-OAuth-2nd-RevokesOAuth SHOULDOAuth SHOULD
63
Reject second use of Authorization CodeTrying to use authorization code twice with 30 seconds in between must result in an errorOP-OAuth-2nd-30sOAuth MUSTOAuth MUST
64
redirect_uri
65
Reject redirect_uri not matching a registered redirect_uriSent redirect_uri does not match a registered redirect_uriOP-redirect_uri-NotRegyyy
66
Reject request without redirect_uri when multiple registeredReject request without redirect_uri when multiple registeredOP-redirect_uri-Missingy
67
Preserves query parameter in redirect_uriRequest with a redirect_uri with a query component when a redirect_uri with the same query component is registeredOP-redirect_uri-Query-OKy
68
Preserves query parameter in registered redirect_urisRequest with a redirect_uri with a query component when a redirect_uri with the same query component is registeredOP-redirect_uri-Query-OKy
69
Reject redirect_uri when query parameter does not matchRejects redirect_uri when query parameter does not match what is registedOP-redirect_uri-Query-Mismatchy
70
Reject redirect_uri when query parameter addedRequest with redirect_uri with query component when registered redirect_uri has no query componentOP-redirect_uri-Query-Addedy
71
Reject registration of redirect_uris with fragmentRegistration where a redirect_uri has a fragmentOP-redirect_uri-RegFragy
72
Client Authentication
73
Support client authentication to Token Endpoint using HTTP Basic with POSTAccess token request with client_secret_basic authenticationOP-ClientAuth-Basic-Dynamicyy
74
(same as above)Access token request with client_secret_basic authenticationOP-ClientAuth-Basic-Staticyy
75
Support client authentication to Token Endpoint using form-encoded client credentials in POST bodyAccess token request with client_secret_post authenticationOP-ClientAuth-SecretPost-Dynamicyy
76
(same as above)Access token request with client_secret_post authenticationOP-ClientAuth-SecretPost-Staticyy
77
Discovery
78
Publishes openid-configuration discovery informationPublishes openid-configuration discovery informationOP-Discovery-Configyy
79
Config has issuerProviderConfigurationResponse.verify()yy
80
Discovered issuer matches openid-configuration path prefixProviderConfigurationResponse.verify()yy
81
Discovered issuer matches ID Token iss valueIdToken.verify()yy
82
Config has authorization_endpointCheckEndpoint()yy
83
Config has token_endpointCheckEndpoint()y unless only Implicity
84
Config has userinfo_endpointCheckEndpoint()y unless self-issuedy
85
Config has jwks_uriVerify that jwks_uri is publishedOP-Discovery-jwks_uriy unless only noney
86
Keys in OP JWKs well formedKeys in OP JWKs well formedOP-Discovery-JWKsy unless only noney
87
Config has scopes_supportedCheckScopeSupport()yy
88
Config has response_types_supportedProviderConfigurationResponse.verify()yy
89
Config has subject_types_supportedProviderConfigurationResponse.verify()yy
90
Config has id_token_signing_alg_values_supportedProviderConfigurationResponse.verify()y unless only noney
91
Config has claims_supportedVerify that claims_supported is publishedOP-Discovery-claims_supportedyy
92
All OP endpoints use httpsVerifyOPEndpointsUseHTTPS()yy
93
Can Discover Identifiers using E-Mail SyntaxCan discover identifiers using e-mail syntaxOP-Discovery-WebFinger-Emaily
94
Support WebFinger discoveryCan discover identifiers using URL syntaxOP-Discovery-WebFingery
95
Dynamic Client Registration
96
Config has registration_endpointVerify that registration_endpoint is publishedOP-Registration-Endpointy
97
Enables dynamic registrationClient registration requestOP-Registration-Dynamicy
98
Support using Sector Identifier for pairwise sub valuesno err
99
Displays logo_uri in login pageRegistration with logo_uriOP-Registration-logo_uriSHOULD
100
Displays policy_uri in login pageRegistration with policy_uriOP-Registration-policy_uriSHOULD
101
Displays tos_uri in login pageRegistration with tos_uriOP-Registration-tos_uriSHOULD
102
Uses keys registered with jwks valueUses keys registered with jwks valueOP-Registration-jwksy
103
Uses keys registered with jwks_uri valueUses keys registered with jwks_uri valueOP-Registration-jwks_uriy
104
Reject Sector Identifier not containing registered redirect_uri valuesIncorrect registration of sector_identifier_uriOP-Registration-Sector-Bady
105
Key Rotation
106
Can rotate OP signing keyCan rotate OP signing keysOP-Rotation-OP-Sigy
107
Support RP signing key rotationRequest access token, change RSA signing key and request another access tokenOP-Rotation-RP-Sigy
108
request_uri Request Parameter
109
Support request_uri request parameterSupport request_uri request parameterOP-request_uri-Supporty
110
Support request_uri request parameter with unsecured requestSupport request_uri request parameter with unsigned requestOP-request_uri-Unsignedno errno errno err
111
Support request_uri request parameter with unsecured requestSupport request_uri request parameter with unsigned requestOP-request_uri-Unsigned-Dynamicy
112
Support request_uri request parameter with signed requestSupport request_uri request parameter with signed requestOP-request_uri-Sigy
113
request Request Parameter
114
Support request request parameter with unsecured requestSupport request request parameter with unsigned requestOP-request-Unsignedno errno errno err
115
claims Request Parameter
116
Support claims request parameterClaims request with essential name claimOP-claims-essentialno errno errno err