Conformance Testing for OPs


This page describes how to run conformance tests and gather testing results.

Establishing Your Testing Configuration

The first step in using the OpenID Provider tests is to decide which conformance profiles you plan to test. Then you establish a testing configuration on the host op.certification.openid.net. You can do this in a self-service manner at https://op.certification.openid.net:60000/. If you have problems establishing your configuration, contact Roland Hedberg at roland.hedberg@umu.se.

Most OPs will test the Basic profile and many will also test the Implicit and Hybrid profiles. You can switch between the response_type values that these profiles use dynamically while testing.

Most OPs will also test the Config profile, which tests your discovery information published at your .well-known/openid-configuration endpoint. You can’t switch whether to test this while testing, so you need to decide whether to do this up front.

Some OPs will also test the Dynamic profile, which tests your support for Dynamic Client Registration and related features. You can’t switch whether to test this while testing, so you need to decide whether to do this up front.

Most OPs will support signing, but not unsigned ID Tokens, or encryption. OPs supporting only response_type=code (the Basic profile) can choose not to support signing and only “sign” ID Tokens with “none”. Crypto decisions can be changed dynamically while testing.

You need to provide these test configuration parameters as well: login_hint – the username you’ll use to log into your OP, ui_locales – suggested value “fr en”, claims_locales – suggested value “fr en”, acr_values – suggested value “2 1”, WebFinger URL – the path for an ID on your OP – if applicable, WebFinger email – suggested value same as login_hint.

Completing your configuration will give you a testing site using a port allocated for your use on op.certification.openid.net. Your testing site will be at a URL like https://op.certification.openid.net:61234/, but with a different port number.

Running Tests and Viewing Results

Go to your testing site, which will be at a URL like https://op.certification.openid.net:61234/, but with a different port number.

Run tests by clicking on the black circle next to the test name. Successful tests will turn the circle green. Warnings will turn it yellow and failures will turn it red. You can view the log for a test that has been run by clicking on the (i) button next to a completed test.

You can view logs from all the tests you have run by adding the path /log to your testing site URL. This path would be https://op.certification.openid.net:61234/log, but with a different port.

Some profiles require you to run tests with multiple response_type values. The Implicit profile requires you to test both id_token and id_token+token. The Hybrid profile requires you to test three combinations. (Basic only requires you to test response_type=code.)

You can change which response_type you are testing by clicking the link to change it near the beginning of your testing page.

Certification of a profile requires that you have Success or Warning results for all tests in the profile. You cannot certify with any Failed results for the profile. Note that some tests where errors are supposed to occur will not create a log file showing a complete result – such as the OP-redirect_uri-NotReg (Sent redirect_uri does not match a registered redirect_uri) test, in which success consists of an error being shown in the browser. In these cases, a screen capture of the error is used as evidence of passing the test.

Once you have finished testing, proceed to Submission of Results for OPs.