This page describes how to run logout conformance tests for OpenID Relying Parties (RPs).
Logout functionality for OpenID Connect is defined in three specifications:
- OpenID Connect Session Management 1.0: Defines RP-Initiated Logout functionality and iFrame-based Logout functionality.
- OpenID Connect Front-Channel Logout 1.0: Defines a logout mechanism that uses front-channel communication via the User Agent between the OP and RPs being logged out.
- OpenID Connect Back-Channel Logout 1.0: Defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out.
Note that the RP-Initiated Logout mechanism is independent of the three mechanisms for communicating logout messages from OPs to RPs and can be used in combination with any of them. RP Logout Certification is therefore factored into four conformance profiles:
- RP-Initiated Logout RP: Tests OP logout initiated by an RP
- Session Management RP: Tests RP logout using iFrame-based messages from OPs to RPs
- Front-Channel Logout RP: Tests RP logout using User Agent-based Front-Channel logout messages from OPs to RPs
- Back-Channel Logout RP: Tests RP logout using Back-Channel logout messages from OPs to RPs
A logout certification submission must support RP-Initiated Logout RP and one or more of the other three logout profiles.
Establishing Your Testing Configuration
First, establish your testing configuration as described in the RP testing instructions. Not that Discovery (the Config RP profile) and Dynamic Client Registration (the Dynamic RP profile) must be supported to run these tests.
In the list of tests, you will see sections of tests titled RP-Initiated Logout, Session Management, Front-Channel Logout, and Back-Channel Logout. The tests for each of the four logout conformance profiles are listed in the corresponding section.
Running a test will consist of the following sequence of interactions with the test suite:
- OpenID Provider Discovery
- Dynamic Client Registration
- Authorization Request
- Token Request (depending on which response type is being tested)
- RP-Initiated Logout Request
- Handle OP-Initiated Logout Request (the format of which will be one of Session Management, Front-Channel, or Back-Channel)
- Handle Post Logout URI Redirect
Submission of Results
Once you have finished testing, submit your results as described at Submission of Results for RPs. Note that separate submission files should be set for each of the four logout conformance profiles supported by your implementation. As described above, a successful logout certification application will contain at least two and up to four submissions – one for each of the supported logout profiles.
The logout conformance profiles require you to submit test runs for all the response_type values supported by your implementation.