NIEF TPAT | TD: OpenID Connect OP Requirements - Basic

OpenID Connect OP Requirements - Basic, v1.0

The requirements for achieving basic OpenID Connect interoperability when implementing an OpenId Provider.

Assessment Steps (7)

1 OIDC Core (OIDCCore) Does the system correctly function as an OpenID Provider? Artifact Evidence Provide detailed explanation of the tests done to verify the system. Provide a link to appropriate certifications as well as any deployment specific tests performed.
2 Certified Implementations (CertifiedImplementations) Does the system use a certified OpenID Provider implementation? Artifact Certification If the system uses certified software, provide enough information to verify the certification. If the sytem software is not formally certified, but testing was performed, provide the URL to the test results.
3 Authn Flow Support (AuthnFlowSupport) Does the system support all required authentication flows? Artifact Flows If the system is certified or has gone through testing, providing the same information as for certification should be sufficient. Otherwise provide header traces demonstrating each supported authentication flow.
4 Valid Digital Signatures (ValidDigitalSignatures) Does the system correctly sign all tokens / JWTs that it generates? Artifact Sample JWT Provide a signed sample JWT.
5 Requires Alg Parameter (RequiresAlgParameter) Does the system correctly reject requests that specify no signature algorithm? Artifacts Error Evidence Provide a description and/or screen shots of how the OP handles invalid requests. Header Trace Show a header trace for a Authentication Request with an alg specified as none.
6 Supports Prompt Parameter (SupportsPromptParameter) Does the system correctly trigger reauthentication when the request includes the paremeter/value combination prompt=login? Artifact Evidence Provide description, header traces, and/or screen shots to demonstrate the OP supports reauthentication.
7 UserInfo Endpoint Support (UserInfoEndpointSupport) Does the system have an accessible UserInfo endpoint that clients and relying parties can use to get detailed information (claims/attributes) about users? Artifact Header Trace Show a header trace for a UserInfo query.

Conformance Criteria (7)

OIDC Core The system MUST use and support the OpenID Connect (OIDC) standard in the role of an OpenID Provider (OP) as defined in the OpenID Connect Core 1.0 specification. Citation NIEF Discussion/Review
Certified Implementations The system's OP implementation MUST pass the OpenID Foundation's OP certification process for the following conformance profiles: Basic OpenID Provider Implicit OpenID Provider Hybrid OpenID Provider OpenID Provider Publishing Configuration Information The implementer of the system can satisfy these conformance profile requirements either by using an RP software implementation that has been previously certified by the OpenID Foundation or by actually testing the system against the OpenID Foundation's OP certification test suite . Note that while use of the OP certification test suite is free of charge, becoming listed in the OpenID Foundation's registry of certified OP implementations does incur a financial cost to the implementer. The implementer of the system MAY seek listing in the registry, but this is strictly optional. Citation NIEF Discussion/Review
Authentication Flow Support The system MUST support the following OIDC authentication code flows: basic and hybrid. Citation NIEF Discussion/Review
Valid Digital Signatures The system MUST digitally sign every OIDC token that it generates. The public key used by OIDC RPs to verify these digital signatures MUST be published in the OP's configuration metadata. Citation NIEF Discussion/Review
Requires Alg Parameter The system MUST not accept an alg paremeter set to the value none. Citation NIEF Discussion/Review
Supports Prompt Parameter The system MUST support the prompt paremeter and trigger reauthentication when this paremeter is set to prompt=login. Citation NIEF Discussion/Review
UserInfo Endpoint Support The system MUST support a UserInfo endpoint in accordance with the requirements specified within Section 3.3 and Section 4 of the iGov Profile and the requirements specified within Section 5.3 of the OpenID Connect Core 1.0 specification. Citation NIEF Discussion/Review

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://trustmark.nief.org/tpat/tds/icam-oidc-op-basic/1.0/

Publication Date

2021-06-25

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

NIEF, Federated ICAM, OpenID Connect, OIDC, OpenID Provider, OP

Issuance Criteria

yes(all)

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

NIEF	NIEF Technical Guidance

Terms (4)

Term Name	Abbreviations	Definition
Federated Identity, Credential, and Access Management	Federated ICAM	Refers to a comprehensive approach for dealing with digital identities (and associated attributes), credentials, and access control within a federated environment (across jurisdictional boundaries).
National Identity Exchange Federation	NIEF	National law enforcement and public safety information sharing trust framework.
OpenID Connect	OIDC	A set of JavaScript Object Notation (JSON) data structures and messaging protocols designed to enable single sign-on between system entities.
OpenID Provider	OP	An identity provider system that implements OpenID Connect protocols.

Also available as XML or JSON