On this page:

OpenID Connect Provider Certification

The OpenID Foundation provides a set of conformance test profiles that test both Relying Party (RP) and OpenID Provider (OP) OpenID Connect implementations. Upon submission of results and an affirmative response, the affirmed OP will be listed as a certified OP on the OpenID Connect website and allowed to use the certification mark according to the certification terms and conditions , section 3(d).

Further details about the certification are available on the OpenID Connect website .

Basic OpenID Provider profile

Dex is an OP that strives to implement the mandatory set of OpenID Connect features, and can be tested against the Basic OpenID Provider profile ( profile outline , section 2.1.1). These tests ensure that all features required by a basic client work as expected.

Unfortunately, Dex currently does not fully comply with the Basic profile at the moment.

The progress for getting Dex certified can be tracked here: https://github.com/orgs/dexidp/projects/3/views/1

Configuring Dex

The Basic OP test suite doesn’t require extensive configuration from Dex. The suite needs the following:

  • A public issuer URL
  • At least two separate clients (with redirect URIs pointing to https://www.certification.openid.net/test/a/YOUR_ALIAS/callback).

YOUR_ALIAS is an arbitrary string that MUST be unique to avoid interference with other test runs.

The easiest way to run a public Dex instance is running one locally and exposing it using a tunnel .

The following instructions use tunnelto.dev .

Here is a minimal configuration example for running Dex:

issuer: https://dex.tunnelto.dev/dex

storage:
  type: memory

web:
  http: 0.0.0.0:5556

oauth2:
  # Automate some clicking
  # Note: this might actually make some tests pass that otherwise wouldn't.
  skipApprovalScreen: true

connectors:
  # Note: this might actually make some tests pass that otherwise wouldn't.
  - type: mockCallback
    id: mock
    name: Example

# Basic OP test suite requires two clients.
staticClients:
  - id: first_client
    secret: 89d6205220381728e85c4cf5
    redirectURIs:
      - https://www.certification.openid.net/test/a/dex/callback
    name: First client

  - id: second_client
    secret: 51c612288018fd384b05d6ad
    redirectURIs:
      - https://www.certification.openid.net/test/a/dex/callback
    name: Second client

Save it in a file (eg. config.yaml) then launch Dex:

dex serve config.yaml

Then launch the tunnel:

tunnelto --subdomain dex --port 5556

You can verify Dex running by checking the discovery endpoint:

curl https://dex.tunnelto.dev/dex/.well-known/openid-configuration

Running tests

  1. Open https://www.certification.openid.net/ in your browser
  2. Login with your Google or Gitlab account
  3. Click Create a new test plan
  4. Select OpenID Connect Core: Basic Certification Profile Authorization server test as the test plan
  5. Server metadata location should be discovery
  6. Client registration type should be static_client
  7. Choose an alias (that you used in the redirect URIs above)
  8. Enter the discovery URL
  9. Enter the first client details in the Client and Second client sections
  10. Enter the second client details in the Client for client_secret_post section
  11. Hit Create test plan
  12. Run through each test case, following all instructions given by individual cases.
    • In order to pass certain cases, screenshots of OP responses might be required.

Last results

Dex does not fully pass the Basic profile test suite yet. The following table contains the current state of test results.

Test NameStatusResult
oidcc-serverFINISHEDPASSED
oidcc-response-type-missingFINISHEDPASSED
oidcc-userinfo-getFINISHEDPASSED
oidcc-userinfo-post-headerFINISHEDPASSED
oidcc-userinfo-post-bodyFINISHEDWARNING
oidcc-ensure-request-without-nonce-succeeds-for-code-flowFINISHEDPASSED
oidcc-scope-profileFINISHEDWARNING
oidcc-scope-emailFINISHEDWARNING
oidcc-scope-addressFINISHEDSKIPPED
oidcc-scope-phoneFINISHEDSKIPPED
oidcc-scope-allFINISHEDSKIPPED
oidcc-ensure-other-scope-order-succeedsFINISHEDWARNING
oidcc-display-pageFINISHEDPASSED
oidcc-display-popupFINISHEDPASSED
oidcc-prompt-loginINTERRUPTEDUNKNOWN
oidcc-prompt-none-not-logged-inFINISHEDFAILED
oidcc-prompt-none-logged-inFINISHEDPASSED
oidcc-max-age-1INTERRUPTEDFAILED
oidcc-max-age-10000FINISHEDFAILED
oidcc-ensure-request-with-unknown-parameter-succeedsFINISHEDPASSED
oidcc-id-token-hintFINISHEDPASSED
oidcc-login-hintFINISHEDPASSED
oidcc-ui-localesFINISHEDPASSED
oidcc-claims-localesFINISHEDPASSED
oidcc-ensure-request-with-acr-values-succeedsFINISHEDWARNING
oidcc-codereuseFINISHEDPASSED
oidcc-codereuse-30secondsFINISHEDWARNING
oidcc-ensure-registered-redirect-uriINTERRUPTEDREVIEW
oidcc-server-client-secret-postFINISHEDPASSED
oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupportedINTERRUPTEDUNKNOWN
oidcc-claims-essentialFINISHEDWARNING
oidcc-ensure-request-object-with-redirect-uriINTERRUPTEDUNKNOWN
oidcc-refresh-tokenINTERRUPTEDFAILED
oidcc-ensure-request-with-valid-pkce-succeedsFINISHEDPASSED

TODO: find a better place for test results.