OpenID Connect RP Requirements - Basic, v1.0
The requirements for achieving basic OpenID Connect interoperability when implementing a Relying Party.
Assessment Steps (5)
1
OIDC Core (OIDCCore)
Does the system correctly function as an OpenID Relying Party?
Artifact
Evidence
Provide detailed explanation of the tests done to verify the system. Provide a link to appropriate certifications as well as any deployment specific tests performed.
|
2
OIDC Certification (OIDCCertification)
Does the system use a certified OpenID Relying Party implementation?
Artifact
Certification
If the system uses certified software, provide enough information to verify the certification. If the sytem software is not formally certified, but testing was performed, provide the URL to the test results.
|
3
Valid Digital Signatures (ValidDigitalSignatures)
Does system verify all digital signatures on incoming tokens?
Artifact
Evidence
Certification details may also be provided as long as the tests to verify digital signatures have been passed in the certification tests. Otherwise provide evidence of the system rejecting signatures from untrusted partners in addition to examples of working partners.
|
4
Requires Digital Signature (RequiresDigitalSignature)
Does the system require digital signatures on all incoming tokens?
Artifact
Evidence
Describe what happens (errors, etc.) if an OP sends a token with no signature.
|
5
UserInfo Queries (UserInfoQueries)
Does the system properly query the UserInfo endpoint?
Artifact
Evidence
Certification details may also be provided as long as the tests include response_type tests that indicate use of the UserInfo endpoint. Otherwise provide some sample logfile data and/or experimental data that demonstrates correct use of the UserInfo endpoint.
|
Conformance Criteria (5)
OIDC Core
The system MUST use and support the OpenID Connect (OIDC) standard in the role of a Relying Party (RP) as defined in the OpenID Connect Core 1.0 specification.
Citation
NIEF
Discussion/Review
|
OIDC Certification
The system MUST conform to the following rules regarding OIDC conformance profiles.
Citation
NIEF
Discussion/Review
|
Valid Digital Signatures
The system MUST validate the digital signature on every OIDC token that it receives, and MUST verify that the OpenID Provider (OP) system's signing key is trusted.
Citation
NIEF
Discussion/Review
|
Requires Digital Signature
The system MUST not accept OIDC tokens that specify a signature algorithm of none (alg=none).
Citation
NIEF
Discussion/Review
|
UserInfo Queries
If the system requires any claims about the user to make attribute-based access control (ABAC) policy decisions, it MUST be able to query the UserInfo endpoint in accordance with accordance with the requirements specified within Section 3.3 and Section 4 of the iGov Profile and the requirements specified within Section 5.3 of the OpenID Connect Core 1.0 specification.
Citation
NIEF
Discussion/Review
|