Authorization in OCPP is the process by which a charging station verifies that a driver is allowed to charge. It sounds straightforward, but the full authorization flow — with local lists, caches, and offline fallback — has enough edge cases to warrant a dedicated test suite.
The basic online flow
When a driver presents an RFID card or app token, the charging station sends an Authorize request to the CSMS with the idTag. The CSMS responds with one of four statuses: Accepted, Blocked, Expired, or Invalid. The station allows or rejects the session accordingly.
This works when the CSMS is reachable. When it is not, the station needs a local fallback.
Local Authorization List
The Local Authorization List is a table of idTags and their authorization status stored on the charging station. When LocalAuthListEnabled is true and an idTag is present in the list, the station can authorize or reject the driver without a CSMS roundtrip — critical for sites with poor connectivity.
The CSMS manages the list via SendLocalList, using either a full replacement or a differential update. The station tracks a list version number so the CSMS can detect when a station is running a stale copy.
Local lists are a common source of subtle bugs: stale entries that were blocked in the CSMS but still Accepted locally, version conflicts after a partial update, and interactions with the authorization cache that produce inconsistent behaviour.
Authorization Cache
The authorization cache stores the results of recent online CSMS authorization responses. When the CSMS is unreachable, the station falls back to cached results for known idTags. The LocalPreAuthorize configuration key controls whether the station consults the cache before contacting the CSMS even when online.
Offline authorization configuration
Two configuration keys control what happens when the CSMS is offline:
- LocalAuthorizeOffline — when true, the station uses the local list and cache to authorize while disconnected. When false, all sessions are blocked during an outage.
- AllowOfflineTxForUnknownId — when true, an idTag not found in the local list or cache is still accepted while offline. When false, unknown tags are rejected regardless.
Testing the combinations
The full test matrix covers: idTag in local list (accepted), idTag in local list (blocked), idTag in cache only, idTag in neither — each tested both online and offline. Add LocalPreAuthorize variations and you have a meaningful set of scenarios that map directly to authorization bugs found in production CSMS deployments.
SimIt supports local authorization list configuration, authorization cache simulation, and on-demand network disconnect, so you can exercise every authorization path against your CSMS. Get started free.