OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry id-token-reviewer

Review test cases for ID Token validation. Covers ID Token structure, required/conditional claims, signature validation (RS256), and all validation rules per OIDC Core 1.0 Section 2 and 3.1.3.7.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/id-token-reviewer" ~/.claude/skills/majiayu000-claude-skill-registry-id-token-reviewer && rm -rf "$T"
manifest: skills/data/id-token-reviewer/SKILL.md
tags
#oidc-validation#id-token#security-testing#jwt-validation#openid-connect
source content

ID Token Test Case Reviewer

Review test cases for ID Token generation and validation in OpenID Connect Basic OP.

Scope

  • Feature: ID Token Claims and Signature
  • Specifications: OIDC Core 1.0 Section 2, 3.1.3.6, 3.1.3.7
  • Profile: Basic OP (Authorization Code Flow)

Review Process

  1. Identify which ID Token requirement the test targets
  2. Check against the checklist below
  3. Verify both valid and invalid token scenarios
  4. Ensure signature algorithm (RS256) is tested
  5. Report gaps with specific spec section references

ID Token Structure

Header.Payload.Signature

JOSE Header Requirements

FieldRequirementExample
alg
REQUIRED. Signing algorithm
RS256
kid
RECOMMENDED. Key ID
1e9gdk7
typ
OPTIONAL. Type
JWT

Required Claims Checklist

CheckClaimRequirementSpec Reference
[ ]
iss
REQUIRED. Issuer Identifier (HTTPS URL, no query/fragment)OIDC Core 2
[ ]
sub
REQUIRED. Subject Identifier (max 255 ASCII chars)OIDC Core 2
[ ]
aud
REQUIRED. Audience (contains client_id)OIDC Core 2
[ ]
exp
REQUIRED. Expiration timeOIDC Core 2
[ ]
iat
REQUIRED. Issued at timeOIDC Core 2

Conditional Claims Checklist

CheckClaimConditionSpec Reference
[ ]
nonce
REQUIRED if nonce in auth requestOIDC Core 3.1.3.6
[ ]
auth_time
REQUIRED if max_age requested or auth_time essentialOIDC Core 2
[ ]
azp
REQUIRED if aud contains multiple valuesOIDC Core 2
[ ]
at_hash
OPTIONAL for code flowOIDC Core 3.1.3.6

Signature Requirements

CheckRequirementSpec Reference
[ ]ID Token MUST be signed JWTOIDC Core 2
[ ]Support RS256 algorithm (MANDATORY)OIDC Core 15.1
[ ]
alg
header parameter present		OIDC Core 2
[ ]
kid
header parameter present if multiple keys		OIDC Core 10.1

Validation Rules (OP produces valid tokens)

CheckValidation RuleSpec Reference
[ ]
iss
exactly matches OP's Issuer Identifier		OIDC Core 3.1.3.7
[ ]
aud
contains requesting client's client_id		OIDC Core 3.1.3.7
[ ]
exp
is in the future		OIDC Core 3.1.3.7
[ ]Signature verifiable with OP's public keyOIDC Core 3.1.3.7

Test Case Categories

Issuer (
iss
) Tests

  • Valid: 
    iss
    matches configured OP issuer exactly
  • Invalid: 
    iss
    adds query parameters
  • Invalid: 
    iss
    adds fragment
  • Invalid: 
    iss
    differs by trailing slash
  • Invalid: 
    iss
    differs by scheme (http vs https)
  • Invalid: 
    iss
    is missing

Audience (
aud
) Tests

  • Valid: 
    aud
    equals client_id (string)
  • Valid: 
    aud
    is array containing client_id
  • Invalid: 
    aud
    doesn't contain client_id
  • Invalid: 
    aud
    is missing

Authorized Party (
azp
) Tests

  • Valid: Single aud, no azp required
  • Valid: Multiple aud, azp equals client_id
  • Warning: Multiple aud, azp missing
  • Invalid: azp present but doesn't match client_id

Expiration (
exp
) Tests

  • Valid: exp is in future
  • Valid: Small clock skew tolerance (typically 5 minutes)
  • Invalid: exp is in past
  • Invalid: exp is missing

Nonce Tests

  • Valid: nonce matches request nonce
  • Valid: No nonce in request, no nonce in token (code flow)
  • Invalid: nonce requested but missing in token
  • Invalid: nonce doesn't match request

Signature Tests

  • Valid: RS256 signature verifies with OP's public key
  • Valid: Retrieve key via kid from JWKS
  • Invalid: Signature doesn't verify
  • Invalid: Unknown kid
  • Invalid: Algorithm mismatch
  • Invalid: alg is none when signature required

Review Output Format

## Test Case: [Name]
### Target Feature: ID Token - [specific aspect]
### Test ID: OP-IDToken-[xxx]
### Spec Compliance:
- [x] Covers required behavior per [spec section]
- [ ] Missing: [specific requirement]
### Verdict: PASS / FAIL / PARTIAL
### Recommendations: [if any]

Example Valid ID Token

{
  "iss": "https://server.example.com",
  "sub": "248289761001",
  "aud": "s6BhdRkqt3",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970
}