Skip to content
Connect2id
OpenID Federation

Metadata policy test vectors for OpenID Federation 1.0

At this URL you can download 8190 test vectors with metadata policies for OpenID Federation 1.0:

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/downloads/metadata-policy-test-vectors-2025-01-17.json

The test vectors are based on the current draft 41, with applied updates by Gabriel Zachmann and Connect2id, to provide a complete logical coverage of all operator combinations, so as to not unduly restrict federations with multiple trust anchors or when subordinate or superior policies may not be known in advance.

The operator combinations are summarised in this table:

Metadata policy operator combinations

The test vectors provide:

  • Combinations of trust anchor and intermediate policies.
  • Test metadata input, using real OpenID RP metadata.
  • The expected resolved metadata.
  • The expected error if the policy combination or merge is invalid, or the metadata is rejected by the policy.

The test vectors are provided in JSON format.

The top-level is a JSON array that contains an object for each test.

  • n – Number identifying the test vector.
  • combination – Array describing the operator combination.
  • TA – The trust anchor metadata policy.
  • INT – The intermediate metadata policy.
  • merged – The merged trust anchor and intermediate metadata policy, omitted if the merge failed due to an illegal combination or another policy error.
  • metadata – The input metadata.
  • resolved – The resolved metadata, omitted if the merge failed, as describe above, or the merged policy rejected the metadata as invalid.
  • error – Indicates the expected error, with possible values invalid_policy or invalid_metadata.
  • error_description – Text describing the error.

Example test vector for a successful policy merge and valid metadata:

{
  "n": 4111,
  "combination": [
    "one_of",
    "default"
  ],
  "TA": {
    "id_token_signed_response_alg": {
      "one_of": [ "RS256", "ES256" ]
    }
  },
  "INT": {
    "id_token_signed_response_alg": {
      "default": "RS256"
    }
  },
  "merged": {
    "id_token_signed_response_alg": {
      "default": "RS256",
      "one_of": [ "RS256", "ES256" ]
    }
  },
  "metadata": {
    "id_token_signed_response_alg": "RS256"
  },
  "resolved": {
    "id_token_signed_response_alg": "RS256"
  }
}

Example test vector where the input metadata was rejected by the merged trust anchor and intermediate policy:

{
  "n": 4175,
  "combination": [
    "one_of",
    "default"
  ],
  "TA": {
    "id_token_signed_response_alg": {
      "one_of": [ "RS256", "ES256" ]
    }
  },
  "INT": {
    "id_token_signed_response_alg": {
      "default": "RS256"
    }
  },
  "merged": {
    "id_token_signed_response_alg": {
      "default": "RS256",
      "one_of": [ "RS256", "ES256" ]
    }
  },
  "metadata": {
    "id_token_signed_response_alg": "EdDSA"
  },
  "error": "invalid_metadata",
  "error_description": "Invalid id_token_signed_response_alg: Failed one_of check"
}