To securely deploy a product that supports OAuth2/OIDC and their associated security specifications into commercial services, we need to ensure that the product is implemented according to the specifications. To confirm that, we need to perform conformance tests for the specifications on the product and ensure that the product passes the conformance tests.

Some security specifications have their conformance tests provided by the standardization body (e.g., The OpenID Foundation provides conformance tests of OpenID Connect and FAPI security profiles) while others do not have. If we cannot obtain conformance tests for the specifications, how could we be sure that the product that implements the specifications is compliant with the specifications? This is an issue.

Even if it is confirmed that a product is compliant with security specifications, this does not necessarily mean that the product is free from vulnerabilities. Therefore, we need to scan the product with a vulnerability scanner. However, these commonly available scanners may not be able to detect vulnerabilities related to OAuth2/OIDC and its related specifications. This is another issue.

To solve the issues, I would like to explain academic research on a conformance test and vulnerability test for OAuth2/OIDC and its related specifications to confirm a product that supports such the specifications is secure. The audience facing the issues could gain insight into how to confirm the product is secure.