NIEF TPAT | TD: OpenID Connect RP Requirements - Basic

OpenID Connect RP Requirements - Basic, v1.0

The requirements for achieving basic OpenID Connect interoperability when implementing a Relying Party.

Assessment Steps (5)

1 OIDC Core (OIDCCore) Does the system correctly function as an OpenID Relying Party? Artifact Evidence Provide detailed explanation of the tests done to verify the system. Provide a link to appropriate certifications as well as any deployment specific tests performed.
2 OIDC Certification (OIDCCertification) Does the system use a certified OpenID Relying Party implementation? Artifact Certification If the system uses certified software, provide enough information to verify the certification. If the sytem software is not formally certified, but testing was performed, provide the URL to the test results.
3 Valid Digital Signatures (ValidDigitalSignatures) Does system verify all digital signatures on incoming tokens? Artifact Evidence Certification details may also be provided as long as the tests to verify digital signatures have been passed in the certification tests. Otherwise provide evidence of the system rejecting signatures from untrusted partners in addition to examples of working partners.
4 Requires Digital Signature (RequiresDigitalSignature) Does the system require digital signatures on all incoming tokens? Artifact Evidence Describe what happens (errors, etc.) if an OP sends a token with no signature.
5 UserInfo Queries (UserInfoQueries) Does the system properly query the UserInfo endpoint? Artifact Evidence Certification details may also be provided as long as the tests include response_type tests that indicate use of the UserInfo endpoint. Otherwise provide some sample logfile data and/or experimental data that demonstrates correct use of the UserInfo endpoint.

Conformance Criteria (5)

OIDC Core The system MUST use and support the OpenID Connect (OIDC) standard in the role of a Relying Party (RP) as defined in the OpenID Connect Core 1.0 specification. Citation NIEF Discussion/Review
OIDC Certification The system MUST conform to the following rules regarding OIDC conformance profiles. The system's RP implementation MUST pass the OpenID Foundation's RP certification process for the Basic Relying Party conformance profile. If the system uses the OIDC implicit authentication code flow, then its RP implementation MUST pass the OpenID Foundation's RP certification process for the Implicit Relying Party conformance profile. If the system uses the OIDC hybrid authentication code flow, then its RP implementation MUST pass the OpenID Foundation's RP certification process for the Hybrid Relying Party conformance profile. The implementer of the system can satisfy these conformance profile requirements either by using an RP software implementation that has been previously certified by the OpenID Foundation or by actually testing the system against the OpenID Foundation's RP certification test suite . Note that while use of the RP certification test suite is free of charge, becoming listed in the OpenID Foundation's registry of certified RP implementations does incur a financial cost to the implementer. The implementer of the system MAY seek listing in the registry, but this is strictly optional. Citation NIEF Discussion/Review
Valid Digital Signatures The system MUST validate the digital signature on every OIDC token that it receives, and MUST verify that the OpenID Provider (OP) system's signing key is trusted. Citation NIEF Discussion/Review
Requires Digital Signature The system MUST not accept OIDC tokens that specify a signature algorithm of none (alg=none). Citation NIEF Discussion/Review
UserInfo Queries If the system requires any claims about the user to make attribute-based access control (ABAC) policy decisions, it MUST be able to query the UserInfo endpoint in accordance with accordance with the requirements specified within Section 3.3 and Section 4 of the iGov Profile and the requirements specified within Section 5.3 of the OpenID Connect Core 1.0 specification. Citation NIEF Discussion/Review

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://trustmark.nief.org/tpat/tds/icam-oidc-rp-basic/1.0/

Publication Date

2021-06-25

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

NIEF, Federated ICAM, OpenID Connect, OIDC, Relying Party, RP, Client

Issuance Criteria

yes(all)

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

NIEF	NIEF Technical Guidance

Terms (5)

Term Name	Abbreviations	Definition
Client		A system or software entity that communicates with with a server. Within OpenID Connect (and the related Oauth 2.0 framework on which OpenID Connect is built), client is an alternate term for a relying party.
Federated Identity, Credential, and Access Management	Federated ICAM	Refers to a comprehensive approach for dealing with digital identities (and associated attributes), credentials, and access control within a federated environment (across jurisdictional boundaries).
National Identity Exchange Federation	NIEF	National law enforcement and public safety information sharing trust framework.
OpenID Connect	OIDC	A set of JavaScript Object Notation (JSON) data structures and messaging protocols designed to enable single sign-on between system entities.
Relying Party	RP	Alternate term for a service provider.

Also available as XML or JSON