| A | B | C | D | E | F | G | H | |
|---|---|---|---|---|---|---|---|---|
1 | Conformance Feature Information | RP Conformance Profiles | ||||||
2 | Feature Name | Conformance Test Name | Test ID | Basis | Implicit | Hybrid | Config | Dynamic |
3 | Response Type & Response Mode | |||||||
4 | Can make request with code response_type | Can make request using response_type 'code' | rp-response_type-code | y | ||||
5 | Can make request with id_token response_type | Can make request using response_type 'id_token' | rp-response_type-id_token | y | ||||
6 | Can make request with id_token token response_type | Can make request using response_type 'id_token token' | rp-response_type-id_token+token | y | ||||
7 | Can make request with code id_token response_type | Can make request using response_type 'code id_token' | rp-response_type-code+id_token | y | ||||
8 | Can make request with code token response_type | Can make request using response_type 'code token' | rp-response_type-code+token | y | ||||
9 | Can make request with code id_token token response_type | Can make request using response_type 'code id_token token' | rp-response_type-code+id_token+token | y | ||||
10 | ID Token | |||||||
11 | Reject ID Token with invalid iss claim | Rejects ID Token with incorrect 'iss' claim | rp-id_token-issuer-mismatch | y | y | y | ||
12 | Reject ID Token without sub claim | Rejects ID Token without 'sub' claim | rp-id_token-sub | y | y | y | ||
13 | Reject ID Token with invalid aud claim | Rejects ID Token with invalid 'aud' claim | rp-id_token-aud | y | y | y | ||
14 | Reject ID Token without iat claim | Rejects ID Token without 'iat' claim | rp-id_token-iat | y | y | y | ||
15 | Accept ID Token without kid claim if only one JWK supplied in jwks_uri | Accepts ID Token without 'kid' claim in JOSE header if only one JWK supplied in 'jwks_uri' | rp-id_token-kid-absent-single-jwks | optional | y | y | ||
16 | Reject ID Token without kid claim if multiple JWKs supplied in jwks_uri | Rejects ID Token without 'kid' claim in JOSE header if multiple JWKs supplied in 'jwks_uri' | rp-id_token-kid-absent-multiple-jwks | optional | rejection allowed | rejection allowed | ||
17 | Reject invalid at_hash when ID Token and Access Token returned from Authorization Endpoint | Rejects ID Token with incorrect 'at_hash' claim when response_type='id_token token' | rp-id_token-bad-at_hash | y | y | |||
18 | Reject invalid c_hash when ID Token and Authorization Code returned from Authorization Endpoint | Rejects ID Token with incorrect 'c_hash' claim when hybrid flow is used | rp-id_token-bad-c_hash | y | ||||
19 | Accepts ID Token with valid asymmetric 'RS256' signature | Accepts ID Token with valid asymmetric 'RS256' signature | rp-id_token-sig-rs256 | y | y | y | ||
20 | Can request and use unsecured ID Token signature | Can request and use unsigned ID Token | rp-id_token-sig-none | optional | use optional | use optional | ||
21 | Rejects invalid asymmetric ID Token signature with rs256 | Rejects ID Token with invalid asymmetric 'RS256' signature | rp-id_token-bad-sig-rs256 | optional | y | y | ||
22 | UserInfo Endpoint | |||||||
23 | Accesses UserInfo Endpoint with header method | Can send Access Token in the HTTP Authorization request header | rp-userinfo-bearer-header | y | y | y | ||
24 | Accesses UserInfo Endpoint with form-encoded body method | Can send Access Token as form-encoded body parameter | rp-userinfo-bearer-body | alt to hdr mthd | alt to hdr mthd | alt to hdr mthd | ||
25 | Does not access UserInfo Endpoint with query parameter method | Does not send Access Token as URI query parameter | (implicitly tested) | y | y | y | ||
26 | Reject UserInfo with invalid sub claim | Rejects UserInfo Response with invalid 'sub' claim | rp-userinfo-bad-sub-claim | y | y | y | ||
27 | Can request and use signed UserInfo response | Can request and use signed UserInfo Response | rp-userinfo-sig | use optional | use optional | |||
28 | nonce Request Parameter | |||||||
29 | Sends nonce request parameter unless using code flow | Sends 'nonce' unless using code flow | rp-nonce-unless-code-flow | y | y | |||
30 | Reject ID Token with invalid nonce when nonce valid sent | Rejects ID Token with invalid 'nonce' when valid 'nonce' sent | rp-nonce-invalid | y | y | y | ||
31 | scope Request Parameter | |||||||
32 | Scope openid present in all requests | openid' scope value should be present in the Authentication Request | (implicitly tested) | y | y | y | ||
33 | Can request UserInfo claims with scope values | Can request and use claims using scope values | rp-scope-userinfo-claims | use optional | use optional | use optional | ||
34 | Client Authentication | |||||||
35 | Can make Access Token request using client_secret_basic client authentication | Can make Access Token Request with 'client_secret_basic' authentication | rp-token_endpoint-client_secret_basic | y | y | y | ||
36 | Discovery | |||||||
37 | Can discover identifiers using e-mail syntax | Can discover OpenID providers using acct URI syntax | rp-discovery-webfinger-acct | y | ||||
38 | Can discover identifiers using URL syntax | Can discover OpenID providers using URL syntax | rp-discovery-webfinger-url | y | ||||
39 | Uses openid-configuration discovery information | Uses Provider Configuration Information | rp-discovery-openid-configuration | y | y | |||
40 | Reject discovered issuer not matching openid-configuration path prefix | Rejects discovered issuer not matching provider configuration issuer | rp-discovery-issuer-not-matching-config | y | y | |||
41 | Reject ID Token with iss not matching discovered issuer | Rejects discovered issuer not matching provider configuration issuer | rp-discovery-issuer-not-matching-config | y | y | |||
42 | Uses keys discovered with jwks_uri value | Uses keys discovered with jwks_uri value | rp-discovery-jwks_uri-keys | y | y | |||
43 | Dynamic Client Registration | |||||||
44 | Uses dynamic registration | Uses dynamic registration | rp-registration-dynamic | y | ||||
45 | Registration has redirect_uris | Registration request has redirect_uris | (implicitly tested) | y | ||||
46 | Keys in RP JWKs well formed | Keys are published as a well-formed JWK Set | (implicitly tested) | y | ||||
47 | Uses https for all endpoints unless only using code flow | Uses HTTPS for all endpoints | (implicitly tested) | y | y | y | ||
48 | Key Rotation | |||||||
49 | Support OP signing key rotation | Supports rotation of provider's asymmetric signing keys | rp-key-rotation-op-sign-key | y | y | |||
50 | request_uri Request Parameter | |||||||
51 | Can use request_uri request parameter with unsecured request | Can use request_uri request parameter with unsigned request | rp-request_uri-unsigned | use optional | ||||
52 | Can use request_uri request parameter with signed request | Can use request_uri request parameter with signed request | rp-request_uri-sig | use optional | ||||