OpenID Connect Provider Certification

The OpenID Foundation provides a set of conformance test profilesthat test both Relying Party and OpenID Provider (OP) OpenID Connect implementations. Upon submission of resultsand an affirmative response, the affirmed OP will be listed as a certified OPon the OpenID Connect website and allowed to use the certification markaccording to the certification terms and conditions, section 3(d).

Basic OpenID Provider Tests

Dex is an OP that strives to implement the mandatory setof OpenID Connect features, and can be tested against the Basic OpenID Provider profile ( profile outline, section 2.1.1). These tests ensure that all features required by a basic clientwork as expected.

Features are currently under development to fully comply with the Basic profile, as dex currently does not. The following issues track our progress:

Issue numberRelates to
#376userinfo_endpoint
#1052auth_time

Setup

There are two ways to set up an OpenID test instance:

  1. Configure a test instance provided by The OpenID Foundation by following instructionson their website.
  2. Download their test runner from GitHuband follow the instructions in the README.
    • Requires docker and docker-compose

Configuration is essentially the same for either type of OpenID test instance. We will proceed with option 1 in this example, and set up an AWS EC2 instanceto deploy dex:

  • Create an AWS EC2 instanceand connect to your instance using SSH.
  • Install dex .
  • Ensure whatever port dex is listening on (usually 5556) is open to ingress traffic in your security group configuration.
  • In this example the public DNS name, automatically assigned to each internet-facing EC2 instance, is my-test-ec2-server.com. You can find your instances’ in the AWS EC2 management console.

Configuring an OpenID test instance

  1. Navigate to https://op.certification.openid.net:60000.
  2. Click ‘New’ configuration.
  3. Input your issuer url: http://my-test-ec2-server.com:5556/dex.
  4. Select code as the response type.
  5. Click ‘Create’ to further configure your OpenID instance.
  6. On the next page, copy and paste the redirect_uris into the redirectURIs config field (see below).

  7. At this point we can run dex, as we have all the information necessary to create a config file (oidc-config.yaml in this example):

    1. issuer: http://my-test-ec2-server.com:5556/dex
    2. storage:
    3.   type: sqlite3
    4.   config:
    5.     file: examples/dex.db
    6. web:
    7.   http: 0.0.0.0:5556
    8. oauth2:
    9.   skipApprovalScreen: true
    10. staticClients:
    11. - id: example-app
    12.   redirectURIs:
    13.   - 'https://op.certification.openid.net:${OPENID_SERVER_PORT}/authz_cb'
    14.   name: 'Example App'
    15.   secret: ZXhhbXBsZS1hcHAtc2VjcmV0
    16. connectors:
    17. - type: mockCallback
    18.   id: mock
    19.   name: Example
    • Substitute OPENID_SERVER_PORT for your OpenID test instance port number, assigned after configuring that instance.
    • Set the oauth2 field skipApprovalScreen: true to automate some clicking.

  8. Run dex:

    1. $ ./bin/dex serve oidc-config.yaml
    2. time="2017-08-25T06:34:57Z" level=info msg="config issuer: http://my-test-ec2-server.com:5556/dex"
    3. ...

  9. Input client_id and client_secret from your config file.

  10. Use data returned by the GET /.well-known/openid-configuration API call to fill in the rest of the configuration forms:

    1. [home@localhost ~]$ curl http://my-test-ec2-server.com:5556/dex/.well-known/openid-configuration
    2. {
    3.  "issuer": "http://my-test-ec2-server.com:5556/dex",
    4.  "authorization_endpoint": "http://my-test-ec2-server.com:5556/dex/auth",
    5.  "token_endpoint": "http://my-test-ec2-server.com:5556/dex/token",
    6.  "jwks_uri": "http://my-test-ec2-server.com:5556/dex/keys",
    7.  "response_types_supported": [
    8.    "code"
    9.  ],
    10.  "subject_types_supported": [
    11.    "public"
    12.  ],
    13.  "id_token_signing_alg_values_supported": [
    14.    "RS256"
    15.  ],
    16.  "scopes_supported": [
    17.    "openid",
    18.    "email",
    19.    "groups",
    20.    "profile",
    21.    "offline_access"
    22.  ],
    23.  "token_endpoint_auth_methods_supported": [
    24.    "client_secret_basic"
    25.  ],
    26.  "claims_supported": [
    27.    "aud",
    28.    "email",
    29.    "email_verified",
    30.    "exp",
    31.    "iat",
    32.    "iss",
    33.    "locale",
    34.    "name",
    35.    "sub"
    36.  ]
    37. }
    • Fill in all configuration information that the /.well-known/openid-configuration endpoint returns, althgouh this is not strictly necessary. We should give the test cases as much information about dex’s OP implementation as possible.
  11. Press the ‘Save and Start’ button to start your OpenID test instance.
  12. Follow the provided link.
  13. Run through each test case, following all instructions given by individual cases.
    • In order to pass certain cases, screenshots of OP responses might be required.

Results and Submission

Dex does not fully pass the Basic profile test suite yet. The following table contains the current state of test results.

Test case IDResult typeCauseRelates to
OP-Response-MissingIncompleteExpected
OP-Response-codeSucceeded
OP-Response-form_postSucceeded
OP-IDToken-C-SignatureSucceeded
OP-ClientAuth-Basic-StaticSucceeded
OP-ClientAuth-SecretPost-StaticWarningUnsupportedclient_secret_post
OP-Token-refreshIncompleteUnsupporteduserinfo_endpoint
OP-UserInfo-BodyIncompleteUnsupporteduserinfo_endpoint
OP-UserInfo-EndpointIncompleteUnsupporteduserinfo_endpoint
OP-UserInfo-HeaderIncompleteUnsupporteduserinfo_endpoint
OP-claims-essentialIncompleteUnsupporteduserinfo_endpoint
OP-display-pageSucceeded
OP-display-popupSucceeded
OP-nonce-NoReq-codeSucceeded
OP-nonce-codeSucceeded
OP-prompt-loginSucceeded
OP-prompt-none-LoggedInSucceeded
OP-prompt-none-NotLoggedInIncompleteError expected
OP-redirect_uri-NotRegIncompleteRequires screenshot
OP-scope-AllIncompleteUnsupportedaddress, phone
OP-scope-addressIncompleteUnsupportedaddress
OP-scope-emailIncompleteUnsupporteduserinfo_endpoint
OP-scope-phoneIncompleteUnsupportedphone
OP-scope-profileIncompleteUnsupporteduserinfo_endpoint
OP-Req-NotUnderstoodSucceeded
OP-Req-acr_valuesWarningNo acr valueid_token
OP-Req-claims_localesIncompleteUnsupporteduserinfo_endpoint
OP-Req-id_token_hintSucceeded
OP-Req-login_hintIncompleteMissing configuration fieldlogin_hint
OP-Req-max_age=1FailedMissing configuration fieldauth_time
OP-Req-max_age=10000FailedMissing configuration fieldauth_time
OP-Req-ui_localesSucceeded
OP-OAuth-2ndWarningUnexpected error responseinvalid_request
OP-OAuth-2nd-30sWarningUnexpected error responseinvalid_request
OP-OAuth-2nd-RevokesIncompleteUnsupporteduserinfo_endpoint

Once all test cases pass, submit your results by following instructions listed on the website.