OpenID Connect Provider Certification
The OpenID Foundation provides a set of conformance test profiles that test both Relying Party (RP) and OpenID Provider (OP) OpenID Connect implementations. Upon submission of results and an affirmative response, the affirmed OP will be listed as a certified OP on the OpenID Connect website and allowed to use the certification mark according to the certification terms and conditions, section 3(d).
Further details about the certification are available on the OpenID Connect website.
Basic OpenID Provider profile
Dex is an OP that strives to implement the mandatory set of OpenID Connect features, and can be tested against the Basic OpenID Provider profile (profile outline, section 2.1.1). These tests ensure that all features required by a basic client work as expected.
Unfortunately, Dex currently does not fully comply with the Basic profile at the moment.
The progress for getting Dex certified can be tracked here: https://github.com/orgs/dexidp/projects/3/views/1
Configuring Dex
The Basic OP test suite doesn’t require extensive configuration from Dex. The suite needs the following:
- A public issuer URL
- At least two separate clients (with redirect URIs pointing to
https://www.certification.openid.net/test/a/YOUR_ALIAS/callback).
YOUR_ALIAS is an arbitrary string that MUST be unique to avoid interference with other test runs.
The easiest way to run a public Dex instance is running one locally and exposing it using a tunnel.
The following instructions use tunnelto.dev.
Here is a minimal configuration example for running Dex:
issuer: https://dex.tunnelto.dev/dex
storage:
type: memory
web:
http: 0.0.0.0:5556
oauth2:
# Automate some clicking
# Note: this might actually make some tests pass that otherwise wouldn't.
skipApprovalScreen: true
connectors:
# Note: this might actually make some tests pass that otherwise wouldn't.
- type: mockCallback
id: mock
name: Example
# Basic OP test suite requires two clients.
staticClients:
- id: first_client
secret: 89d6205220381728e85c4cf5
redirectURIs:
- https://www.certification.openid.net/test/a/dex/callback
name: First client
- id: second_client
secret: 51c612288018fd384b05d6ad
redirectURIs:
- https://www.certification.openid.net/test/a/dex/callback
name: Second client
Save it in a file (eg. config.yaml) then launch Dex:
dex serve config.yaml
Then launch the tunnel:
tunnelto --subdomain dex --port 5556
You can verify Dex running by checking the discovery endpoint:
curl https://dex.tunnelto.dev/dex/.well-known/openid-configuration
Running tests
- Open https://www.certification.openid.net/ in your browser
- Login with your Google or GitLab account
- Click Create a new test plan
- Select OpenID Connect Core: Basic Certification Profile Authorization server test as the test plan
- Server metadata location should be discovery
- Client registration type should be static_client
- Choose an alias (that you used in the redirect URIs above)
- Enter the discovery URL
- Enter the first client details in the Client and Second client sections
- Enter the second client details in the Client for client_secret_post section
- Hit Create test plan
- Run through each test case, following all instructions given by individual cases.
- In order to pass certain cases, screenshots of OP responses might be required.
Last results
Dex does not fully pass the Basic profile test suite yet. The following table contains the current state of test results.
| Test Name | Status | Result |
|---|---|---|
| oidcc-server | FINISHED | PASSED |
| oidcc-response-type-missing | FINISHED | PASSED |
| oidcc-userinfo-get | FINISHED | PASSED |
| oidcc-userinfo-post-header | FINISHED | PASSED |
| oidcc-userinfo-post-body | FINISHED | WARNING |
| oidcc-ensure-request-without-nonce-succeeds-for-code-flow | FINISHED | PASSED |
| oidcc-scope-profile | FINISHED | WARNING |
| oidcc-scope-email | FINISHED | WARNING |
| oidcc-scope-address | FINISHED | SKIPPED |
| oidcc-scope-phone | FINISHED | SKIPPED |
| oidcc-scope-all | FINISHED | SKIPPED |
| oidcc-ensure-other-scope-order-succeeds | FINISHED | WARNING |
| oidcc-display-page | FINISHED | PASSED |
| oidcc-display-popup | FINISHED | PASSED |
| oidcc-prompt-login | INTERRUPTED | UNKNOWN |
| oidcc-prompt-none-not-logged-in | FINISHED | FAILED |
| oidcc-prompt-none-logged-in | FINISHED | PASSED |
| oidcc-max-age-1 | INTERRUPTED | FAILED |
| oidcc-max-age-10000 | FINISHED | FAILED |
| oidcc-ensure-request-with-unknown-parameter-succeeds | FINISHED | PASSED |
| oidcc-id-token-hint | FINISHED | PASSED |
| oidcc-login-hint | FINISHED | PASSED |
| oidcc-ui-locales | FINISHED | PASSED |
| oidcc-claims-locales | FINISHED | PASSED |
| oidcc-ensure-request-with-acr-values-succeeds | FINISHED | WARNING |
| oidcc-codereuse | FINISHED | PASSED |
| oidcc-codereuse-30seconds | FINISHED | WARNING |
| oidcc-ensure-registered-redirect-uri | INTERRUPTED | REVIEW |
| oidcc-server-client-secret-post | FINISHED | PASSED |
| oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupported | INTERRUPTED | UNKNOWN |
| oidcc-claims-essential | FINISHED | WARNING |
| oidcc-ensure-request-object-with-redirect-uri | INTERRUPTED | UNKNOWN |
| oidcc-refresh-token | INTERRUPTED | FAILED |
| oidcc-ensure-request-with-valid-pkce-succeeds | FINISHED | PASSED |
TODO: find a better place for test results.