net-kingdom/tools/iam-profile-conformance

IAM Profile Conformance

Executable checks for canon/standards/iam-profile_v0.2.md.

Runtime dependency: Python 3.11+ with cryptography. Fixture tests also require pytest.

Run a full check against a real issuer with a freshly minted access token:

python3 tools/iam-profile-conformance/iam_profile_conformance.py \
  --issuer https://id.example.net/realms/platform \
  --audience my-service \
  --access-token "$(cat token.jwt)" \
  --client-id iam-profile-conformance \
  --redirect-uri http://localhost/callback \
  --environment production

The PKCE probe sends an authorization request without a code_challenge; a conforming issuer rejects it. Use a dedicated public test client for this check.

For discovery-only smoke checks:

python3 tools/iam-profile-conformance/iam_profile_conformance.py \
  --issuer https://id.example.net/realms/platform \
  --audience my-service \
  --discovery-only \
  --skip-pkce-probe

Run fixture tests:

python3 -m pytest tools/iam-profile-conformance/tests