OAuch's main goal is to analyze the compliance of an authorization server with the OAuth standards to uncover unmitigated threats and point out security improvements. OAuch tests an authorization server using a large set of test cases to check an authorization server's compliance with the security specifications defined in the original OAuth 2.0 standard, as well as other documents that refine the security assumptions and requirements. These documents include the OAuth threat model, the Security Best Current Practices, and others. In addition to OAuth, OAuch also supports OpenID Connect providers.
This page lists all the test cases that are implemented in OAuch. Note that not all test cases are run for every test run. OAuch automatically detects the supported features of the authorization server, and only executes the relevant test cases. The test cases are grouped into categories that refer to the OAuth infrastructure they apply to. Test cases with the same name but in different categories, are distinct (but similar) test cases.
Document Support (10 tests)
Feature Support (19 tests)
Token Endpoint (30 tests)
Device Authorization Endpoint (5 tests)
Access and Refresh Tokens (9 tests)
Identity Tokens (15 tests)
JWTs (11 tests)
PKCE (8 tests)
Revocation (8 tests)
Concurrency (5 tests)
Authorization Endpoint (26 tests)
API Endpoint (8 tests)