Review test cases for ID Token validation. Covers ID Token structure, required/conditional claims, signature validation (RS256), and all validation rules per OIDC Core 1.0 Section 2 and 3.1.3.7.
日本語に翻訳 name: id-token-reviewer
description: Review test cases for ID Token validation. Covers ID Token structure, required/conditional claims, signature validation (RS256), and all validation rules per OIDC Core 1.0 Section 2 and 3.1.3.7.
ID Token Test Case Reviewer
Review test cases for ID Token generation and validation in OpenID Connect Basic OP.
Scope
Feature : ID Token Claims and SignatureSpecifications : OIDC Core 1.0 Section 2, 3.1.3.6, 3.1.3.7Profile : Basic OP (Authorization Code Flow)
Review Process
Identify which ID Token requirement the test targets
Check against the checklist below
Verify both valid and invalid token scenarios
Ensure signature algorithm (RS256) is tested
Report gaps with specific spec section references
ID Token Structure
Header.Payload.Signature
JOSE Header Requirements
Field Requirement Example algREQUIRED. Signing algorithm RS256kidRECOMMENDED. Key ID 1e9gdk7typOPTIONAL. Type JWT
Required Claims Checklist
Check Claim Requirement Spec Reference [ ] issREQUIRED. Issuer Identifier (HTTPS URL, no query/fragment) OIDC Core 2 [ ] subREQUIRED. Subject Identifier (max 255 ASCII chars) OIDC Core 2 [ ] audREQUIRED. Audience (contains client_id) OIDC Core 2 [ ] expREQUIRED. Expiration time OIDC Core 2 [ ] iatREQUIRED. Issued at time OIDC Core 2
Conditional Claims Checklist
Check Claim Condition Spec Reference [ ] nonceREQUIRED if nonce in auth request OIDC Core 3.1.3.6 [ ] auth_timeREQUIRED if max_age requested or auth_time essential OIDC Core 2 [ ] azpREQUIRED if aud contains multiple values OIDC Core 2 [ ] at_hashOPTIONAL for code flow OIDC Core 3.1.3.6
Signature Requirements
Check Requirement Spec Reference [ ] ID Token MUST be signed JWT OIDC Core 2 [ ] Support RS256 algorithm (MANDATORY) OIDC Core 15.1 [ ] alg header parameter presentOIDC Core 2 [ ] kid header parameter present if multiple keysOIDC Core 10.1
Validation Rules (OP produces valid tokens)
Check Validation Rule Spec Reference [ ] iss exactly matches OP's Issuer IdentifierOIDC Core 3.1.3.7 [ ] aud contains requesting client's client_idOIDC Core 3.1.3.7 [ ] exp is in the futureOIDC Core 3.1.3.7 [ ] Signature verifiable with OP's public key OIDC Core 3.1.3.7
Test Case Categories
Issuer (iss) Tests
Audience (aud) Tests
Authorized Party (azp) Tests
Expiration (exp) Tests
Nonce Tests
Signature Tests
Review Output Format
## Test Case: [Name]
### Target Feature: ID Token - [specific aspect]
### Test ID: OP-IDToken-[xxx]
### Spec Compliance:
- [x] Covers required behavior per [spec section]
- [ ] Missing: [specific requirement]
### Verdict: PASS / FAIL / PARTIAL
### Recommendations: [if any]
Example Valid ID Token
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970
}