Submission of Certification Results for OpenID Connect RPs


This page describes how to submit completed RP conformance testing results to the OpenID Foundation to request OpenID Connect certifications. Before submission, first all tests must be successfully passed for the desired conformance profiles and testing results gathered, as described in the RP Testing Instructions. All tests MUST be in the ‘FINISHED’ status. Note that results with warnings are acceptable for certification purposes.

Please note that the full supplied log files will be published as part of a successful certification and these may contain client credentials, private keys, and other potentially sensitive data that are part of the test configuration, so it is recommended to deactivate clients and revoke keys prior to submitting your results.

For each conformance profile being certified to, the following information must be submitted in its own certification package:

  1. A signed copy of the Certification of Conformance (docx) (PDF) naming that profile. (‘OpenID Conformance Profile’ field in the file must contain a valid profile name, i.e one of the certification table column labels at https://openid.net/certification/, e.g ‘FAPI R/W OP w/ Private Key’) This should use the filename OpenID-Certification-of-Conformance.pdf in the submitted results. (A different extension such as .jpg for the scanned document may be used as appropriate.)
  2. A copy of the Certification Terms and Conditions document accompanying the Certification of Conformance. This must use the filename OpenID-Certification-Terms-and-Conditions.pdf in the submitted results. (This document is not signed but is included for completeness since it is referenced from the Certification of Conformance.)
  3. Test plan logs downloaded from the conformance suite.
  4. Evidence demonstrating the behavior of the relying party for each test.
    This can take the form of RP log files, screen captures (image files), or both. These files must be placed inside a folder named “client-data” (without the quotes).

    1. Files should be named consistently using the test name as the file name prefix. For example the log file for oidcc-client-test-invalid-iss should be named oidcc-client-test-invalid-iss.log or oidcc-client-test-invalid-iss-logs.txt or similar.
    2. If more than one file needs to be included for a test then they should be named oidcc-client-test-invalid-iss-1.log, oidcc-client-test-invalid-iss-2.log or similar.
    3. When a test plan contains the same test multiple times, e.g for an hybrid profile, then the filenames must also contain the response type. For example for an hybrid test plan, client log files for oidcc-client-test-invalid-iss should be named as follows:
      • oidcc-client-test-invalid-iss_code-id_token.log
      • oidcc-client-test-invalid-iss_code-token.log
      • oidcc-client-test-invalid-iss_code-id_token-token.log

A typical submission package will have the following folder structure:

  1. OpenID-Certification-of-Conformance.pdf
  2. OpenID-Certification-Terms-and-Conditions.pdf
  3. oidcc-client-test-plan-client_secret_basic-plain_http_request-code id_token token-default-dynamic_client-PLAN_ID.zip
  4. client-data
    • oidcc-client-test.log
    • oidcc-client-test-nonce-invalid.log
    • oidcc-client-test-client-secret-basic.log

The certification package should consist of a single .zip file containing all the files and using the paths above. The certification package can be created either manually or by using the ‘Certification Package’ button.

To prepare the certification package manually:

  • Download test plan logs by using ‘Download All Logs’ button on the test plan page.
  • When using this option you must make your results public by using the Publish Everything button prior to submission.
  • Add OpenID-Certification-of-Conformance.pdf, OpenID-Certification-Terms-and-Conditions.pdf and ‘Client Data’ to the package

To prepare the certification package using the ‘Certification Package’ button:

  • Select OpenID-Certification-of-Conformance.pdf, OpenID-Certification-Terms-and-Conditions.pdf and ‘Client Data’ files which will be uploaded and added to the package
  • Click ‘Prepare Certification Package’ button

Certification package filename should contain the name of the organization, the software being certified, the profile being certified to, and the current date. For example, a certification request by the ProseWare organization of its “Humongous Identity” software for the Basic RP profile on June 30, 2020 should use a filename like ProseWare-Humongous_Identity-RP-Basic-30-June-2020.zip.

Example values for the blanks in the Certification of Conformance (docx) (PDF) are as follows:

  • Name of Entity (“Implementer”) Making this Certification: ProseWare
  • Software or Service (“Deployment”) Name & Version #: Humongous Identity 3.14159
  • OpenID Connect Conformance Profile: Basic Relying Party
  • Conformance Test Suite Software & Version #: www.certification.openid.net 4.0.5
  • Test Date: June 20, 2020
  • Authorized Signature: HQB
  • Name: Harry Q. Bovik
  • Title: Senior Computer Scientist
  • Date: June 30, 2020
  • Implementer’s Name: Jane Doe
  • Implementer’s Title: Programmer Extraordinaire
  • Implementer’s Phone: +1 (412) 555-1234
  • Implementer’s Email: jane@proseware.org
  • Implementer’s Address: 5000 Forbes Ave.
  • Implementer’s City, State/Province, Postal Code: Pittsburgh, PA 15213
  • Implementer’s Country: United States of America

The conformance test suite software version number you used can be found on the results page for your test plan.

The certification package must be sent to us using the certification request form. An immediate automatic email will be sent acknowledging receipt, please check you receive this email as any questions we have will be sent in the same way. If you don’t receive any further response within 3 working days, feel free to inquire about status by e-mailing a message to certification@oidf.org, cc’ing director@oidf.org.

A fee is required for certifications unless the conformance profile is still in the pilot phase. See the OpenID Certification Fee Schedule page for more information. Please pay for your certification application at the Certification Payment page when you make your submission.