How to Run Conformance Tests for OpenID for Verifiable Presentations

OpenID Foundation is currently developing tests for checking that wallets (and, later, verifiers and issuers) correctly & securely implement the OpenID for Verifiable Presentation specifications (and, later,  OpenID for Verifiable Credential Issuance).

We are currently targeting the latest Implementer’s Draft: https://openid.net/specs/openid-4-verifiable-presentations-1_0-ID2.html

The tests currently as for testing Wallets and require support for:

  • Testing Wallets
  • response_type=vp_token
  • client_id_scheme values:
    • redirect_uri, or
    • pre_registered, or
    • x509_san_dns
  • response_mode values:
    • direct_post, or
    • direct_post.jwt (encrypted only)
    • w3_dc_api as per draft 21 (we have not be able to test these tests yet – please get in touch via below email if you have a wallet that supports this)
  • Cross device (QR code based) or same device flow
  • authorization request methods:
    • unsigned request_uri, or
    • signed request_uri
  • credential formats:
    • SD-JWT VC with HAIP (partial)
    • ISO 18013-7 mDL – draft 3, 17th January 2024 (partial) – select ‘direct_post.jwt’, ‘request_uri_signed’ and ‘x509_san_dns’ options. The client jwks field must have a use: signing jwk with an x5c containing a certificate that includes SAN DNS:demo.certification.openid.net (the cert can be self signed) and a use: enc key.
  • presentation_definition

It is recommended to run VC tests on the ‘demo’ server (rather than the production one) as this contains the latest changes:

(Login with any google/gitlab/openid account)

After logging in, select “Create a new test plan” and then select the test plan “OpenID for Verifiable Presentations ID2: Alpha tests (not currently part of certification program)”.

An example configuration JSON for ISO mDL can be found here:
This can be pasted into the ‘JSON’ tab to pre-fill the form with example values. Each form field has a help field if you hover over the ‘?’ – for the client jwks refer to the above note when testing with mdl though. If the wallet will accept a self signed certificate for the x509_san_dns client authentication, the client jwks in the example configuration may be used as is.

When filling in the configuration form the fields all have help values available by hovering your mouse pointer over the ‘i’ button.
You must select an “alias” to use. This will form part of any urls hosted by the conformance suite and should be unique to yourself, for example your company name. (If you use the same alias as another user, yours tests may interfere with each other.) 
Once you have created your test plan, you should run each test in the test plan. Please be sure to pay attention to the details/instructions in the blue box at the top of each test.

Please contact the certification team if you’d like some help, need different specification features to be supported or if anything goes wrong (or to let us know it went well – we are actively encouraging feedback on these tests!):