Logout Conformance Testing for RPs


This page describes how to run logout conformance tests for OpenID Relying Parties (RPs).

Background

Logout functionality for OpenID Connect is defined in three specifications:

Note that the RP-Initiated Logout mechanism is independent of the three mechanisms for communicating logout messages from OPs to RPs and can be used in combination with any of them. RP Logout Certification is therefore factored into four conformance profiles:

  • RP-Initiated Logout RP: Tests OP logout initiated by an RP
  • Session Management RP: Tests RP logout using iFrame-based messages from OPs to RPs
  • Front-Channel Logout RP: Tests RP logout using User Agent-based Front-Channel logout messages from OPs to RPs
  • Back-Channel Logout RP: Tests RP logout using Back-Channel logout messages from OPs to RPs

A logout certification submission must support RP-Initiated Logout RP and one or more of the other three logout profiles.

Establishing Your Testing Configuration

First, establish your testing configuration as described in the RP testing instructions. Not that Discovery (the Config RP profile) and Dynamic Client Registration (the Dynamic RP profile) must be supported and a post_logout_redirect_uri is needed to run these tests.

In the list of tests, you will see sections of tests titled RP-Initiated Logout, Session Management, Front-Channel Logout, and Back-Channel Logout. The tests for each of the four logout conformance profiles are listed in the corresponding section.

Running Tests

Running a test will consist of the following sequence of interactions with the test suite, except as described in the following paragraph:

  1. OpenID Provider Discovery
  2. Dynamic Client Registration
  3. Authorization Request
  4. Token Request (if response type being tested uses the Token Endpoint)
  5. RP-Initiated Logout Request
  6. Handle OP-Initiated Logout Request (the format of which will be one of Session Management, Front-Channel, or Back-Channel)
  7. Handle Post Logout URI Redirect

When running the session status change notification test rp-init-logout-session, this is the sequence of steps:

  1. OpenID Provider Discovery
  2. Dynamic Client Registration
  3. Authorization Request
  4. Token Request (if response type being tested uses the Token Endpoint)
  5. Check Session Status – Expect unchanged
  6. RP-Initiated Logout Request
  7. Handle Post Logout URI Redirect
  8. Check Session Status – Expect changed

Submission of Results

Once you have finished testing, submit your results as described at Submission of Results for RPs. Note that separate submission files should be set for each of the four logout conformance profiles supported by your implementation. As described above, a successful logout certification application will contain at least two and up to four submissions – one for each of the supported logout profiles.

The logout conformance profiles require you to submit test runs for all the response_type values supported by your implementation.