Logout Conformance Testing for OPs


This page describes how to run logout conformance tests for OpenID Providers (OPs).

Background

Logout functionality for OpenID Connect is defined in three specifications:

Note that the RP-Initiated Logout mechanism is independent of the three mechanisms for communicating logout messages from OPs to RPs and can be used in combination with any of them. OP Logout Certification is therefore factored into four conformance profiles:

  • RP-Initiated Logout OP: Tests OP logout initiated by an RP
  • Session Management OP: Tests RP logout using iFrame-based messages from OPs to RPs
  • Front-Channel Logout OP: Tests RP logout using User Agent-based Front-Channel logout messages from OPs to RPs
  • Back-Channel Logout OP: Tests RP logout using Back-Channel logout messages from OPs to RPs

A logout certification submission must support RP-Initiated Logout OP and one or more of the other three logout profiles.

Establishing Your Testing Configuration

First, establish your testing configuration as described in the OP testing instructions. You must specify that “Extra” tests are to be shown for the logout tests to be made available.

NOTE: The logout tests are currently in alpha test phase are not yet deployed on the production OP testing server. Therefore, at present, you must create an OP testing configuration on the testing sever at https://new-op.certification.openid.net:60000/.

On your testing page (assuming you selected that “Extra” tests be shown), there will be sections titled RP-Initiated Logout, Session Management, Front-Channel Logout, and Back-Channel Logout. The tests for each of the four logout conformance profiles are listed in the corresponding section.

Submission of Results

Once you have finished testing, submit your results as described at Submission of Results for OPs. Note that separate submission files should be set for each of the four logout conformance profiles supported by your implementation. As described above, a successful logout certification application will contain at least two and up to four submissions – one for each of the supported logout profiles.

Additional Notes on the Logout Profiles

RP-Initiated Logout (OP-RpInitLogout-*)

All the tests use RP-Initiated Logout to start the test. This means that the OP must publish an end_session_endpoint.

The basic RP-Initiated Logout test consists of:

  1. The RP verifies that the OP publishes an end_session_endpoint.
  2. The RP sends an End Session request to the end_session_endpoint.
  3. If the OP accepts the request, it SHOULD display a webpage to the user asking for verification. (Verification must be given for the test to complete.)
  4. If a post_logout_redirect_uri is published by the RP, the OP must redirect the user back to the post_logout_redirect_uri. If no post_logout_redirect_uri is provided, then the OP must redirect the user to a post logout page on the OP.

This flow is the same whether the OP supports Back-/Front-Channel Logout or Session Management using iFrames. For all the tests named OP-RpInitLogout-*, the above described flow is the flow of all the tests. Now, for some of the tests the test tool (an RP) intentionally sends an incorrect end session request, which means that the flow should never get past (2).

Session management (OP-Session-*)

When testing session management, one step is added before (3), namely checking that the RP can get back a session unchanged response from the OP’s iFrame. And after the user has been redirected to the post_logout_redirect_uri, a test is added that verifies that the RP gets back a session changed response from the OP’s iFrame.

Front-Channel Logout (OP-FrontChannel-*)

If the OP supports Front-Channel Logout then, in a similar manner as above, after (3) and before (4) this is added: The OP displays a webpage with an iFrame with a src based on frontchannel_logout_uri. If the sid and iss are OK, then the RP replies with OK.

Back-Channel Logout (OP-BackChannel-*)

If the OP supports Back-Channel Logout then after (3) and before (4), this is added: The OP does a POST to the backchannel_logout_uri with a logout_token. If the logout_token is OK, then the RP replies with OK.