askill
id-token-reviewer

id-token-reviewerSafety 100Repository

Review test cases for ID Token validation. Covers ID Token structure, required/conditional claims, signature validation (RS256), and all validation rules per OIDC Core 1.0 Section 2 and 3.1.3.7.

id-token-reviewermajiayu000
0 stars
1.2k downloads
Updated 2/5/2026

Package Files

Loading files...
SKILL.md

ID Token Test Case Reviewer

Review test cases for ID Token generation and validation in OpenID Connect Basic OP.

Scope

  • Feature: ID Token Claims and Signature
  • Specifications: OIDC Core 1.0 Section 2, 3.1.3.6, 3.1.3.7
  • Profile: Basic OP (Authorization Code Flow)

Review Process

  1. Identify which ID Token requirement the test targets
  2. Check against the checklist below
  3. Verify both valid and invalid token scenarios
  4. Ensure signature algorithm (RS256) is tested
  5. Report gaps with specific spec section references

ID Token Structure

Header.Payload.Signature

JOSE Header Requirements

FieldRequirementExample
algREQUIRED. Signing algorithmRS256
kidRECOMMENDED. Key ID1e9gdk7
typOPTIONAL. TypeJWT

Required Claims Checklist

CheckClaimRequirementSpec Reference
[ ]issREQUIRED. Issuer Identifier (HTTPS URL, no query/fragment)OIDC Core 2
[ ]subREQUIRED. Subject Identifier (max 255 ASCII chars)OIDC Core 2
[ ]audREQUIRED. Audience (contains client_id)OIDC Core 2
[ ]expREQUIRED. Expiration timeOIDC Core 2
[ ]iatREQUIRED. Issued at timeOIDC Core 2

Conditional Claims Checklist

CheckClaimConditionSpec Reference
[ ]nonceREQUIRED if nonce in auth requestOIDC Core 3.1.3.6
[ ]auth_timeREQUIRED if max_age requested or auth_time essentialOIDC Core 2
[ ]azpREQUIRED if aud contains multiple valuesOIDC Core 2
[ ]at_hashOPTIONAL for code flowOIDC Core 3.1.3.6

Signature Requirements

CheckRequirementSpec Reference
[ ]ID Token MUST be signed JWTOIDC Core 2
[ ]Support RS256 algorithm (MANDATORY)OIDC Core 15.1
[ ]alg header parameter presentOIDC Core 2
[ ]kid header parameter present if multiple keysOIDC Core 10.1

Validation Rules (OP produces valid tokens)

CheckValidation RuleSpec Reference
[ ]iss exactly matches OP's Issuer IdentifierOIDC Core 3.1.3.7
[ ]aud contains requesting client's client_idOIDC Core 3.1.3.7
[ ]exp is in the futureOIDC Core 3.1.3.7
[ ]Signature verifiable with OP's public keyOIDC Core 3.1.3.7

Test Case Categories

Issuer (iss) Tests

  • Valid: iss matches configured OP issuer exactly
  • Invalid: iss adds query parameters
  • Invalid: iss adds fragment
  • Invalid: iss differs by trailing slash
  • Invalid: iss differs by scheme (http vs https)
  • Invalid: iss is missing

Audience (aud) Tests

  • Valid: aud equals client_id (string)
  • Valid: aud is array containing client_id
  • Invalid: aud doesn't contain client_id
  • Invalid: aud is missing

Authorized Party (azp) Tests

  • Valid: Single aud, no azp required
  • Valid: Multiple aud, azp equals client_id
  • Warning: Multiple aud, azp missing
  • Invalid: azp present but doesn't match client_id

Expiration (exp) Tests

  • Valid: exp is in future
  • Valid: Small clock skew tolerance (typically 5 minutes)
  • Invalid: exp is in past
  • Invalid: exp is missing

Nonce Tests

  • Valid: nonce matches request nonce
  • Valid: No nonce in request, no nonce in token (code flow)
  • Invalid: nonce requested but missing in token
  • Invalid: nonce doesn't match request

Signature Tests

  • Valid: RS256 signature verifies with OP's public key
  • Valid: Retrieve key via kid from JWKS
  • Invalid: Signature doesn't verify
  • Invalid: Unknown kid
  • Invalid: Algorithm mismatch
  • Invalid: alg is none when signature required

Review Output Format

## Test Case: [Name]
### Target Feature: ID Token - [specific aspect]
### Test ID: OP-IDToken-[xxx]
### Spec Compliance:
- [x] Covers required behavior per [spec section]
- [ ] Missing: [specific requirement]
### Verdict: PASS / FAIL / PARTIAL
### Recommendations: [if any]

Example Valid ID Token

{
  "iss": "https://server.example.com",
  "sub": "248289761001",
  "aud": "s6BhdRkqt3",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970
}

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

95/100Analyzed 2/12/2026

A highly detailed and structured guide for reviewing OIDC ID Tokens. It includes comprehensive checklists mapping claims to specific spec sections, validation rules, and a clear output template, making it extremely actionable for an AI agent.

100
95
100
95
95

Metadata

Licenseunknown
Version-
Updated2/5/2026
Publishermajiayu000

Tags

apisecuritytesting