OpenID Connect Basic OP — conformance self-test results

Independent evidence that the CodeB Sovereign Communications OpenID Connect provider (OP) passes every test in the OpenID Foundation Basic OP Certification Profile, test suite version 5.2.0, executed by the OIDF-hosted conformance harness on 2026-07-18.

Test plan finished 2026-07-18
All 35 tests passed · 0 failures · 0 warnings
35
tests total
35
passed
0
failures
0
warnings
2 084
assertions
Self-test result, not the OpenID Certified™ mark. These results were generated by the OpenID Foundation conformance suite hosted at certification.openid.net. By themselves they are not proof of formal certification — only entries on the OpenID certified deployments list carry the mark. What this page attests is that the exact OIDC OP shipped inside every CodeB tenant deployment passes the Basic OP suite end-to-end without warnings. Formal certification submission is on the roadmap.

Summary

AreaWhat it verifiesResult
Discovery.well-known/openid-configuration shape, algorithm advertisements, endpoint URLsPass
Authorization endpointredirect_uri whitelisting, response_type, PKCE, state, nonce round-tripPass
Token endpointAuthorization code exchange, client_secret_basic + client_secret_post, code single-use, refresh_token rotationPass
ID tokenSignature (RS256), iss/aud/exp/iat/sub, at_hash, c_hash, nonce, auth_timePass
UserInfo endpointGET, POST-body, POST-header; scope-to-claim mapping (profile / email / phone / address)Pass
Prompt / max_age / id_token_hintSilent SSO, forced re-auth, subject-bound hints, spec-conformant login_required errorsPass
Request Object (unsigned)OIDC Core 6.1 — parameters passed inside JWT overlay outer query params, state / nonce / redirect_uri routingPass
Locales / display / acr_values / login_hintOptional parameter acceptance and echoing per OIDCC-3.1.2.1Pass
Code reuse securityRepeat use of an authorization code invalidates any tokens minted from the first exchange (RFC 6749 §4.1.2)Pass

Evidence

Three independent evidence trails, any one is enough to reproduce the test on your own infrastructure.

Live OIDF plan (read-only)
certification.openid.net » plan RRxhrmgabfcym
Signed private link, valid through 2029-05-19. Opens the OIDF-hosted plan-detail view of every individual test run.
Certification package (ZIP)
oidcc-basic-certification-test-plan · 1.8 MB
OIDF-generated bundle: plan metadata, per-test JSON + HTML logs, and JWS signatures over each log for tamper-evident inspection.
OIDC OP feature reference
Endpoints, algorithms, extensions
What the OP exposes: discovery, JWKS, /authorize, /token, /userinfo, /revoke, /introspect, /end_session, JWT-bearer, id_token_hint.

Test breakdown — 35 tests, all passed

Grouped by area. Every test finished with status PASSED; three of them additionally required a screenshot upload for the OIDF harness to close out interactively (OP-side result was already green).

Discovery + core protocol (5)

Test nameResult
oidcc-serverPass
oidcc-server-client-secret-postPass
oidcc-alternate-happy-flowPass
oidcc-response-type-missingPass
oidcc-ensure-registered-redirect-uriPass

Authorization request handling (7)

Test nameResult
oidcc-ensure-post-request-succeedsPass
oidcc-ensure-request-with-unknown-parameter-succeedsPass
oidcc-ensure-request-with-acr-values-succeedsPass
oidcc-ensure-request-with-valid-pkce-succeedsPass
oidcc-ensure-request-without-nonce-succeeds-for-code-flowPass
oidcc-ensure-request-object-with-redirect-uriPass
oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupportedPass

Prompt, max_age, id_token_hint (7)

Test nameResult
oidcc-prompt-none-logged-inPass
oidcc-prompt-none-not-logged-inPass
oidcc-prompt-loginPass
oidcc-max-age-1Pass
oidcc-max-age-10000Pass
oidcc-id-token-hintPass
oidcc-login-hintPass

Scopes and UserInfo (8)

Test nameResult
oidcc-scope-profilePass
oidcc-scope-emailPass
oidcc-scope-phonePass
oidcc-scope-addressPass
oidcc-scope-allPass
oidcc-userinfo-getPass
oidcc-userinfo-post-bodyPass
oidcc-userinfo-post-headerPass

Claims, locales, display (5)

Test nameResult
oidcc-claims-essentialPass
oidcc-claims-localesPass
oidcc-ui-localesPass
oidcc-display-pagePass
oidcc-display-popupPass

Refresh + code-reuse security (3)

Test nameResult
oidcc-refresh-tokenPass
oidcc-codereusePass
oidcc-codereuse-30secondsPass

How to reproduce

  1. Register a client in the OIDC clients admin of your own CodeB tenant with client_secret_basic authentication, response_type code, and the OIDF harness callback URL https://www.certification.openid.net/test/a/<alias>/callback.
  2. Sign up for a free account at certification.openid.net, create a plan of type “OpenID Connect Core: Basic Certification Profile”, and paste your OP’s discovery URL plus the client credentials.
  3. Run all 35 tests. Three (prompt-login, max-age-1, ensure-registered-redirect-uri) require an interactive screenshot upload — the OP’s behaviour is already green before the upload; the upload only lets the OIDF harness close the ticket.
  4. Download the certification package ZIP from your plan-detail page and compare per-test results arrays against the JSON bundle linked above.

Roadmap to the OpenID Certified™ mark

Passing the conformance suite is step one. The full path to being listed on the OpenID Foundation certified-implementations page is:

  1. Done — Basic OP profile, discovery + static_client variant, zero-warnings run on the OIDF harness.
  2. Next — run the same suite against the additional variants the profile allows (dynamic client registration, PAR, form_post response mode) and archive the plans.
  3. Then — submit the plan IDs + certification fee to the OpenID Foundation using the process at openid.net/certification/instructions/. Listing typically appears within one to two weeks of submission.
  4. Also on the plan — HAIP 1.0 verifier certification for the EU Wallet / OpenID4VP side (tracked separately on the HAIP implementation notes page).

Details about the run

Test suiteOpenID Foundation conformance suite · version 5.2.0
Certification profileBasic OP
Plan nameoidcc-basic-certification-test-plan
Plan IDRRxhrmgabfcym
Variantserver_metadata=discovery, client_registration=static_client, client_auth_type=client_secret_basic, response_type=code, response_mode=default
Plan started2026-07-18 10:57:12 UTC
Tests35 total
Failures0
Warnings0
OP under testCodeB Sovereign Communications OIDC provider — the same OP binary shipped in every CodeB tenant, running on production infrastructure at the time of the test

Last updated 2026-07-18. Related pages: OIDC features · API reference · HAIP 1.0 notes · Credential Provider v2