OpenID Connect Basic OP — conformance self-test results
Independent evidence that the CodeB Sovereign Communications OpenID Connect provider (OP) passes every test in the OpenID Foundation Basic OP Certification Profile, test suite version 5.2.0, executed by the OIDF-hosted conformance harness on 2026-07-18.
Summary
| Area | What it verifies | Result |
|---|---|---|
| Discovery | .well-known/openid-configuration shape, algorithm advertisements, endpoint URLs | Pass |
| Authorization endpoint | redirect_uri whitelisting, response_type, PKCE, state, nonce round-trip | Pass |
| Token endpoint | Authorization code exchange, client_secret_basic + client_secret_post, code single-use, refresh_token rotation | Pass |
| ID token | Signature (RS256), iss/aud/exp/iat/sub, at_hash, c_hash, nonce, auth_time | Pass |
| UserInfo endpoint | GET, POST-body, POST-header; scope-to-claim mapping (profile / email / phone / address) | Pass |
| Prompt / max_age / id_token_hint | Silent SSO, forced re-auth, subject-bound hints, spec-conformant login_required errors | Pass |
| Request Object (unsigned) | OIDC Core 6.1 — parameters passed inside JWT overlay outer query params, state / nonce / redirect_uri routing | Pass |
| Locales / display / acr_values / login_hint | Optional parameter acceptance and echoing per OIDCC-3.1.2.1 | Pass |
| Code reuse security | Repeat use of an authorization code invalidates any tokens minted from the first exchange (RFC 6749 §4.1.2) | Pass |
Evidence
Three independent evidence trails, any one is enough to reproduce the test on your own infrastructure.
Test breakdown — 35 tests, all passed
Grouped by area. Every test finished with status PASSED; three of them additionally required a screenshot upload for the OIDF harness to close out interactively (OP-side result was already green).
Discovery + core protocol (5)
| Test name | Result |
|---|---|
| oidcc-server | Pass |
| oidcc-server-client-secret-post | Pass |
| oidcc-alternate-happy-flow | Pass |
| oidcc-response-type-missing | Pass |
| oidcc-ensure-registered-redirect-uri | Pass |
Authorization request handling (7)
| Test name | Result |
|---|---|
| oidcc-ensure-post-request-succeeds | Pass |
| oidcc-ensure-request-with-unknown-parameter-succeeds | Pass |
| oidcc-ensure-request-with-acr-values-succeeds | Pass |
| oidcc-ensure-request-with-valid-pkce-succeeds | Pass |
| oidcc-ensure-request-without-nonce-succeeds-for-code-flow | Pass |
| oidcc-ensure-request-object-with-redirect-uri | Pass |
| oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupported | Pass |
Prompt, max_age, id_token_hint (7)
| Test name | Result |
|---|---|
| oidcc-prompt-none-logged-in | Pass |
| oidcc-prompt-none-not-logged-in | Pass |
| oidcc-prompt-login | Pass |
| oidcc-max-age-1 | Pass |
| oidcc-max-age-10000 | Pass |
| oidcc-id-token-hint | Pass |
| oidcc-login-hint | Pass |
Scopes and UserInfo (8)
| Test name | Result |
|---|---|
| oidcc-scope-profile | Pass |
| oidcc-scope-email | Pass |
| oidcc-scope-phone | Pass |
| oidcc-scope-address | Pass |
| oidcc-scope-all | Pass |
| oidcc-userinfo-get | Pass |
| oidcc-userinfo-post-body | Pass |
| oidcc-userinfo-post-header | Pass |
Claims, locales, display (5)
| Test name | Result |
|---|---|
| oidcc-claims-essential | Pass |
| oidcc-claims-locales | Pass |
| oidcc-ui-locales | Pass |
| oidcc-display-page | Pass |
| oidcc-display-popup | Pass |
Refresh + code-reuse security (3)
| Test name | Result |
|---|---|
| oidcc-refresh-token | Pass |
| oidcc-codereuse | Pass |
| oidcc-codereuse-30seconds | Pass |
How to reproduce
- Register a client in the OIDC clients admin of your own CodeB tenant with
client_secret_basicauthentication, response_typecode, and the OIDF harness callback URLhttps://www.certification.openid.net/test/a/<alias>/callback. - Sign up for a free account at certification.openid.net, create a plan of type “OpenID Connect Core: Basic Certification Profile”, and paste your OP’s discovery URL plus the client credentials.
- Run all 35 tests. Three (
prompt-login,max-age-1,ensure-registered-redirect-uri) require an interactive screenshot upload — the OP’s behaviour is already green before the upload; the upload only lets the OIDF harness close the ticket. - Download the certification package ZIP from your plan-detail page and compare per-test
resultsarrays against the JSON bundle linked above.
Roadmap to the OpenID Certified™ mark
Passing the conformance suite is step one. The full path to being listed on the OpenID Foundation certified-implementations page is:
- Done — Basic OP profile, discovery + static_client variant, zero-warnings run on the OIDF harness.
- Next — run the same suite against the additional variants the profile allows (dynamic client registration, PAR, form_post response mode) and archive the plans.
- Then — submit the plan IDs + certification fee to the OpenID Foundation using the process at openid.net/certification/instructions/. Listing typically appears within one to two weeks of submission.
- Also on the plan — HAIP 1.0 verifier certification for the EU Wallet / OpenID4VP side (tracked separately on the HAIP implementation notes page).
Details about the run
| Test suite | OpenID Foundation conformance suite · version 5.2.0 |
|---|---|
| Certification profile | Basic OP |
| Plan name | oidcc-basic-certification-test-plan |
| Plan ID | RRxhrmgabfcym |
| Variant | server_metadata=discovery, client_registration=static_client, client_auth_type=client_secret_basic, response_type=code, response_mode=default |
| Plan started | 2026-07-18 10:57:12 UTC |
| Tests | 35 total |
| Failures | 0 |
| Warnings | 0 |
| OP under test | CodeB Sovereign Communications OIDC provider — the same OP binary shipped in every CodeB tenant, running on production infrastructure at the time of the test |
Last updated 2026-07-18. Related pages: OIDC features · API reference · HAIP 1.0 notes · Credential Provider v2