Test Case Overview

OAuch's main goal is to analyze the compliance of an authorization server with the OAuth standards to uncover unmitigated threats and point out security improvements. OAuch tests an authorization server using a large set of test cases to check an authorization server's compliance with the security specifications defined in the original OAuth 2.0 standard, as well as other documents that refine the security assumptions and requirements. These documents include the OAuth threat model, the Security Best Current Practices, and others. In addition to OAuth, OAuch also supports OpenID Connect providers.

This page lists all the test cases that are implemented in OAuch. Note that not all test cases are run for every test run. OAuch automatically detects the supported features of the authorization server, and only executes the relevant test cases. The test cases are grouped into categories that refer to the OAuth infrastructure they apply to. Test cases with the same name but in different categories, are distinct (but similar) test cases.

Document Support (10 tests)

• Does the server support Form Post response mode (FormPostSupported)
• Is OpenID Connect supported (OpenIdSupported)
• Does the server support RFC6749 (OAuth authorization framework) (RFC6749Supported)
• Does the server support RFC6750 (bearer token usage) (RFC6750Supported)
• Does the server support RFC6819 (OAuth threat model) (RFC6819Supported)
• Does the server support RFC7009 (token revocation) (RFC7009Supported)
• Does the server support RFC7523 (JWT authentication) (RFC7523Supported)
• Does the server support RFC7636 (PKCE) (RFC7636Supported)
• Does the server support RFC8628 (device grant) (RFC8628Supported)
• Does the server support RFC8705 (mTLS) (RFC8705Supported)

Feature Support (19 tests)

• Is the authorization code grant supported (CodeFlowSupported)
• Is the hybrid grant (response type = 'code token') supported (CodeTokenFlowSupported)
• Is the hybrid grant (response type = 'code id_token') supported (CodeIdTokenFlowSupported)
• Is the hybrid grant (response type = 'code id_token token') supported (CodeIdTokenTokenFlowSupported)
• Can signatures be verified (CanSignatureBeVerified)
• Is the client credentials grant supported (ClientCredentialsFlowSupported)
• Is the device authorization grant supported (DeviceFlowSupported)
• Are access token supported (HasAccessTokens)
• Are JWT access token used (HasJwtAccessTokens)
• Are refresh tokens supported (HasRefreshTokens)
• Is at least one grant type supported (HasSupportedFlows)
• Is the implicit grant (response type = 'token') supported (TokenFlowSupported)
• Is the implicit grant (response type = 'id_token token') supported (IdTokenTokenFlowSupported)
• Is the implicit grant (response type = 'id_token') supported (IdTokenFlowSupported)
• Are deprecated TLS versions supported on the OAuth endpoints (IsDeprecatedTlsSupported)
• Is the password grant supported (PasswordFlowSupported)
• Does the server support plain PKCE (PlainPkce)
• Is the test URI working (TestUriSupported)
• Can the token be passed via the query (TokenAsQueryParameter)

Authorization Endpoint (21 tests)

• Does the server attach a fragment (FragmentFix)
• Authorization page has Content Security Policy (HasContentSecurityPolicy)
• Does the authorization URL have a fragment (HasFragment)
• Authorization page has X-Frame-Options header (HasFrameOptions)
• Trusted authorization certificate (HasValidCertificate)
• Does the authorization server automatically redirect the user-agent to the invalid redirection URI (InvalidRedirect)
• Is HTTPS required at the authorization endpoint (IsHttpsRequired)
• Does the authorization server support a modern version of TLS (IsModernTlsSupported)
• Does the authorization server check the response type (IsResponseTypeChecked)
• Is the nonce parameter required (NonceRequired)
• Does the authorization server exactly match the full redirect uri (RedirectUriFullyMatched)
• Does the authorization server exactly match the hostname and path of the redirect uri (RedirectUriPathMatched)
• Does the authorization server require the redirect uri (RedirectUriRequired)
• Does the server suppress the referrer (ReferrerPolicyEnforced)
• Does the implicit flow grant refresh tokens (RefreshTokenPresent)
• Is consent required (RequireUserConsent)
• Does the authorization server allow multiple instances of the same parameter (SameParameterTwiceDisallowed)
• Is the state parameter present in the authorization response (StatePresent)
• Does the server support POST authentication requests (SupportsPostAuthorizationRequests)
• Does the server support Post Form response mode (SupportsPostResponseMode)
• Does the authorization server ignore unrecognized parameters (UnrecognizedParameterAllowed)

Token Endpoint (27 tests)

• Do authorization codes have a short timeout (AuthorizationCodeTimeout)
• Is the client secret secure (128 bits) (ClientSecretEntropyMinReq)
• Is the client secret secure (160 bits) (ClientSecretEntropySugReq)
• Is cache control header present (HasCacheControlHeader)
• Is pragma header present (HasPragmaHeader)
• Trusted token certificate (HasValidCertificate)
• Is the active refresh token revoked after a multi-exchange (InvalidatedRefreshToken)
• Does the server support asymmetric client authentication (IsAsymmetricClientAuthenticationUsed)
• Are authentication parameters in the URI allowed (IsAuthInUriAllowed)
• Is basic authentication supported (IsBasicAuthenticationSupported)
• Is client authentication required (IsClientAuthenticationRequired)
• Is client id required (IsClientIdRequired)
• Is the authorization code bound to the client (IsCodeBoundToClient)
• Does the token server support GET requests (IsGetSupported)
• Is HTTPS required at the token endpoint (IsHttpsRequired)
• Does the token server support a modern version of TLS (IsModernTlsSupported)
• Is the password flow disabled (IsPasswordFlowDisabled)
• Is refresh authentication required (IsRefreshAuthenticationRequired)
• Is the refresh token bound to a client (IsRefreshBoundToClient)
• Can codes be exchanged multiple times (MultipleCodeExchanges)
• Is the redirect URI checked when exchanging a code (RedirectUriChecked)
• Does the client credentials flow grant refresh tokens (RefreshTokenPresent)
• Is the refresh token revoked after use (RefreshTokenRevokedAfterUse)
• Does the token endpoint allow multiple instances of the same parameter (SameParameterTwiceDisallowed)
• Are tokens invalidated after exchanging the same code multiple times (TokenValidAfterMultiExchange)
• Does the token endpoint ignore unrecognized parameters (UnrecognizedParameterAllowed)
• Is refresh token rotation used (UsesTokenRotation)

Device Authorization Endpoint (5 tests)

• Trusted device authorization certificate (HasValidCertificate)
• Is HTTPS required at the device authorization endpoint (IsHttpsRequired)
• Does the device authorization server support a modern version of TLS (IsModernTlsSupported)
• Does the device authorization server allow multiple instances of the same parameter (SameParameterTwiceDisallowed)
• Does the device authorization server ignore unrecognized parameters (UnrecognizedParameterAllowed)

API Endpoint (6 tests)

• Is Cache-Control header sent when the access token is used in the URI (CacheControl)
• Trusted API certificate (HasValidCertificate)
• Is HTTPS required at the API endpoint (IsHttpsRequired)
• Does the API server support a modern version of TLS (IsModernTlsSupported)
• Is the authorization header supported (SupportsAuthorizationHeader)
• Can the token be passed via the query (TokenAsQueryParameterDisabled)

Access and Refresh Tokens (8 tests)

• Are the access tokens secure (128 bits) (AccessTokenEntropyMinReq)
• Are the access tokens secure (160 bits) (AccessTokenEntropySugReq)
• Are the authorization codes secure (128 bits) (AuthorizationCodeEntropyMinReq)
• Are the authorization codes secure (160 bits) (AuthorizationCodeEntropySugReq)
• Are the device codes secure (128 bits) (DeviceCodeEntropy)
• Are the refresh tokens secure (128 bits) (RefreshTokenEntropyMinReq)
• Are the refresh tokens secure (160 bits) (RefreshTokenEntropySugReq)
• Do access tokens have a short timeout (TokenTimeout)

Identity Tokens (14 tests)

• Is the client secret long enough (ClientSecretLongEnough)
• Is the c_hash claim correct (CodeHashValid)
• Is the token authorized party set correctly (HasAuthorizedParty)
• Is the 'azp' claim present for multiple audiences (HasAzpForMultiAudience)
• Is the token audience set (HasCorrectAudience)
• Is the token issuer set (HasCorrectIssuer)
• Is the token mac correct (HasCorrectMac)
• Are all required required claims present (HasRequiredClaims)
• Is the at_hash claim correct (IsAccessTokenHashCorrect)
• Is the at_hash claim present (IsAccessTokenHashPresent)
• Is the c_hash claim present (IsAuthorizationCodeHashPresent)
• Is the ID token signed (IsSigned)
• Are references to keys communicated using discovery and registration parameters (KeyReferences)
• Is the nonce present in the ID token (NoncePresentInToken)

JWTs (11 tests)

• Does the API server accept JWT tokens without a signature (AcceptsNoneSignature)
• Is JWT audience checked (HasAudienceClaim)
• Is JWT issuer checked (HasIssuerClaim)
• Is JWT subject checked (HasSubjectClaim)
• Is JWT expiration checked (IsExpirationChecked)
• Is JWT 'issued at' checked (IsIssuedAtChecked)
• Are replayed JWT's detected (IsJwtReplayDetected)
• Is JWT 'not before' checked (IsNotBeforeChecked)
• Is the JWT signature checked (IsSignatureChecked)
• Is a JWT signature required (IsSignatureRequired)
• Is JWT authentication implemented (SupportsJwtClientAuthentication)

PKCE (6 tests)

• Does the server support hashed PKCE (HashedPkceDisabled)
• Is PKCE downgrade detected (authorization request) (IsPkceDowngradeDetected)
• Is PKCE implemented (IsPkceImplemented)
• Is PKCE downgrade detected (token request) (IsPkcePlainDowngradeDetected)
• Does the server require PKCE (IsPkceRequired)
• Are insecure code verifiers rejected (ShortVerifier)

Revocation (8 tests)

• Are refresh tokens revoked after access token revocation (AccessRevokesRefresh)
• Can access tokens be revoked (CanAccessTokensBeRevoked)
• Can refresh tokens be revoked (CanRefreshTokensBeRevoked)
• Is revocation bound to a specific client (IsBoundToClient)
• Does revocation require client authentication (IsClientAuthRequired)
• Does the revocation endpoint support a modern version of TLS (IsModernTlsSupported)
• Is the revocation endpoint secure (IsRevocationEndpointSecure)
• Are access tokens revoked after refresh token revocation (RefreshRevokesAccess)