From 4f3bcb27017a1ba2a806dec0fa2cba5d245e8481 Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Mon, 30 Jun 2025 06:25:27 -0400 Subject: [PATCH 01/13] Attestation tests --- lib/udap_security_test_kit.rb | 2 + lib/udap_security_test_kit/client_suite.rb | 3 + ...ecurity-test-kit_requirements_coverage.csv | 317 ++++++++++++++++++ .../client/authorization_code_usage_test.rb | 45 +++ ...b2b_authorization_extension_object_test.rb | 136 ++++++++ .../client_security_csrf_protection_test.rb | 101 ++++++ .../idp_supports_required_scopes_test.rb | 40 +++ .../client/jti_reuse_prevention_test.rb | 42 +++ .../client/metadata_interpretation_test.rb | 45 +++ .../preferred_identity_provider_test.rb | 45 +++ .../client/private_key_authentication_test.rb | 43 +++ ...opes_identity_provider_interaction_test.rb | 101 ++++++ .../software_statement_registration_test.rb | 71 ++++ .../token_request_authentication_test.rb | 45 +++ .../trust_community_query_parameters_test.rb | 41 +++ .../client/validation_confidentiality_test.rb | 71 ++++ .../client_attestation_group.rb | 39 +++ ...authorization_code_token_requests_group.rb | 15 + .../access_token_lifetime_test.rb | 40 +++ .../access_token_request_validation_test.rb | 51 +++ .../authorization_code_usage_test.rb | 45 +++ .../dynamic_client_registration_group.rb | 15 + .../certification_handling_test.rb | 45 +++ .../client_id_modification_test.rb | 40 +++ ...mic_client_registration_validation_test.rb | 48 +++ .../server/error_handling_group.rb | 19 ++ .../invalid_id_token_test.rb | 40 +++ .../invalid_redirection_uri_test.rb | 40 +++ .../state_mismatch_test.rb | 40 +++ .../unauthenticated_user_test.rb | 40 +++ .../valid_state_error_response_test.rb | 40 +++ .../id_token_access_token_validation_group.rb | 18 + .../access_token_validation_test.rb | 44 +++ .../id_token_validation_test.rb | 44 +++ .../token_response_validation_test.rb | 45 +++ .../identity_provider_interaction_group.rb | 17 + .../idp_authentication_request_test.rb | 40 +++ .../idp_dynamic_registration_test.rb | 42 +++ .../idp_metadata_validation_test.rb | 42 +++ .../idp_token_exchange_test.rb | 40 +++ .../metadata_server_capabilities_group.rb | 19 ++ ..._authorization_extensions_required_test.rb | 40 +++ .../udap_community_parameter_support_test.rb | 40 +++ ...p_metadata_endpoint_error_handling_test.rb | 40 +++ .../udap_metadata_representation_test.rb | 40 +++ .../udap_profiles_supported_test.rb | 40 +++ ...d_connect_authentication_requests_group.rb | 13 + ...uthentication_request_construction_test.rb | 53 +++ .../authentication_request_validation_test.rb | 60 ++++ .../server/security_measures_group.rb | 13 + .../csrf_protection_test.rb | 42 +++ .../unauthenticated_client_security_test.rb | 42 +++ .../server_attestation_group.rb | 29 ++ 53 files changed, 2508 insertions(+) create mode 100644 lib/udap_security_test_kit/requirements/generated/udap-security-test-kit_requirements_coverage.csv create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb diff --git a/lib/udap_security_test_kit.rb b/lib/udap_security_test_kit.rb index 540724f..49cfe14 100644 --- a/lib/udap_security_test_kit.rb +++ b/lib/udap_security_test_kit.rb @@ -3,6 +3,7 @@ require_relative 'udap_security_test_kit/client_credentials_group' require_relative 'udap_security_test_kit/redirect_uri' require_relative 'udap_security_test_kit/metadata' +require_relative 'udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group' module UDAPSecurityTestKit class Suite < Inferno::TestSuite @@ -93,5 +94,6 @@ class Suite < Inferno::TestSuite group from: :udap_authorization_code_group group from: :udap_client_credentials_group + group from: :udap_server_v100_visual_inspection_and_attestation end end diff --git a/lib/udap_security_test_kit/client_suite.rb b/lib/udap_security_test_kit/client_suite.rb index 922d680..4a23736 100644 --- a/lib/udap_security_test_kit/client_suite.rb +++ b/lib/udap_security_test_kit/client_suite.rb @@ -8,6 +8,7 @@ require_relative 'client_suite/registration_cc_group' require_relative 'client_suite/access_ac_group' require_relative 'client_suite/access_cc_group' +require_relative 'visual_inspection_and_attestation/client_attestation_group' module UDAPSecurityTestKit class UDAPSecurityClientTestSuite < Inferno::TestSuite @@ -113,5 +114,7 @@ class UDAPSecurityClientTestSuite < Inferno::TestSuite required_suite_options: { client_type: UDAPClientOptions::UDAP_CLIENT_CREDENTIALS } + + group from: :udap_client_v100_visual_inspection_and_attestation end end diff --git a/lib/udap_security_test_kit/requirements/generated/udap-security-test-kit_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap-security-test-kit_requirements_coverage.csv new file mode 100644 index 0000000..d629016 --- /dev/null +++ b/lib/udap_security_test_kit/requirements/generated/udap-security-test-kit_requirements_coverage.csv @@ -0,0 +1,317 @@ +Req Set,ID,URL,Requirement,Conformance,Actor,Sub-Requirement(s),Conditionality,UDAP Security Server Short ID(s),UDAP Security Server Full ID(s),UDAP Security Client Short ID(s),UDAP Security Client Full ID(s) +hl7.fhir.us.udap-security_1.0.0_reqs,1,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: SHALL conform to the mandatory requirements of [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).,SHALL,"Server, Client",,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents","1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,2,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be JSON Web Signatures conforming to the mandatory requirements of [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515).,SHALL,"Server, Client",,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents","1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,3,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be serialized using JWS Compact Serialization as per [Section 7.1](https://datatracker.ietf.org/doc/html/rfc7515#section-7.1) of RFC 7515.,SHALL,"Server, Client",,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents","1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server, Client",,,"1.1.13, 1.1.15, 2.1.13, 2.1.15","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field, udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field","","" +hl7.fhir.us.udap-security_1.0.0_reqs,5,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations **SHOULD** support `ES256`[as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)],SHOULD,"Server, Client",,,,,, +hl7.fhir.us.udap-security_1.0.0_reqs,6,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,[Implementations] **MAY** support `ES384` and/or `RS384` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,MAY,"Server, Client",,,,,, +hl7.fhir.us.udap-security_1.0.0_reqs,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT ,SHALL,"Server, Client",,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents","1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`. An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server, Client",,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents","1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,9,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,A FHIR Server **SHALL** make its Authorization Server’s authorization ... endpoints ... available for discovery by client applications.,SHALL,Server,,,"1.1.10, 2.1.10","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_authorization_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_authorization_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,10,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints," + +A FHIR Server **SHALL** make its Authorization Server’s ... token ... endpoints ... available for discovery by client applications.",SHALL,Server,,,"1.1.11, 2.1.11","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,11,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints," +A FHIR Server **SHALL** make its Authorization Server’s ... registration endpoints ... available for discovery by client applications.",SHALL,Server,,,"1.1.14, 2.1.14","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_registration_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_registration_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,12,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,A FHIR Server **SHALL** make its Authorization Server’s ... associated metadata available for discovery by client applications.,SHALL,Server,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,13,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints," +Servers **SHALL** allow access to the following metadata URL to unregistered client applications ..., where {baseURL} represents the base FHIR URL for the FHIR server: {baseURL}/.well-known/udap",SHALL,Server,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,14,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers **SHALL** allow access to the following metadata URL ... without requiring client authentication, where {baseURL} represents the base FHIR URL for the FHIR server: {baseURL}/.well-known/udap",SHALL,Server,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,15,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints," +UDAP metadata **SHALL** be structured as a JSON object as per section 1 of [UDAP Server Metadata](https://www.udap.org/udap-server-metadata-stu1.html#section-1) and discussed further in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata).",SHALL,Server,,,"1.1, 2.1","udap_security-udap_authorization_code_group-auth_code_discovery_group, udap_security-udap_client_credentials_group-auth_code_discovery_group",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,16,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints," + +If a server returns a `404 Not Found` response to a `GET` request to the UDAP metadata endpoint, the client application SHOULD conclude that the server does not support UDAP workflows.",SHOULD,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,17,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers conforming to this guide are generally expected, but not required, to also support the HL7 SMART App Launch Framework, which defines additional discovery and metadata requirements.",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,18,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,The metadata returned from the UDAP metadata endpoint … SHALL represent the server’s capabilities with respect to the UDAP workflows described in this guide.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,19,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata," +If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,22,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_versions_supported` [element is] required [and SHALL be] A fixed array with one string element: [""1""]",SHALL,Server,,,"1.1.02, 2.1.02","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_versions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_versions_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,23,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_profiles_supported` [element is] required +[and SHALL contain a]n array of two or more strings identifying the core UDAP profiles supported by the Authorization Server.",SHALL,Server,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,24,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata," [When returning UDAP metadata, the] `udap_profiles_supported` [element] array SHALL include ... ""udap_dcr"" … [when the server supports] UDAP Dynamic Client Registration",SHALL,Server,,true,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,25,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata," [When returning UDAP metadata, the] `udap_profiles_supported` [element] array SHALL include ... ""udap_authn"" … [when the server supports] UDAP JWT-Based Client Authentication",SHALL,Server,,true,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,26,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata," [When returning UDAP metadata] `udap_profiles_supported` [element]... +If the `grant_types_supported` parameter includes the string `""client_credentials""`, then the array SHALL also include: +`""udap_authz""` for UDAP Client Authorization Grants using JSON Web Tokens to indicate support for Authorization Extension Objects. ",SHALL,Server,,true,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,27,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata," + [When returning UDAP metadata] `udap_profiles_supported` [element]... +If the server supports the user authentication workflow described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html#tiered-oauth-for-user-authentication), then the array SHALL also include: `""udap_to""` for UDAP Tiered OAuth for User Authentication. ",SHALL,Server,,true,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,28,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_supported` [element is] required [and SHALL contain a]n array of zero or more recognized key names for Authorization Extension Objects supported by the Authorization Server.",SHALL,Server,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,29,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server supports the B2B Authorization Extension Object defined in Section [5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object), then the ... `[""hl7-b2b""]` key name SHALL be included [in the `udap_authorization_extensions_supported` element of the server's UDAP metadata]. +",SHALL,Server,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,30,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element SHALL contain when populated a]n array of zero or more recognized key names for Authorization Extension Objects required by the Authorization Server in every token request. ",SHALL,Server,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,31,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element] SHALL be present if the value of the `udap_authorization_extensions_supported` parameter is not an empty array.",SHALL,Server,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,32,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server requires the B2B Authorization Extension Object defined in [Section 5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object) in every token request, then the following key name SHALL be included [in the `udap_authorization_extensions_required`list]: +`[""hl7-b2b""]`",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,33,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_supported` [element is] required [and SHALL contain a]n array of zero or more certification URIs supported by the Authorization Server, e.g.: `[""https://www.example.com/udap/profiles/example-certification""]` + +",SHALL,Server,,,"1.1.07, 2.1.07","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,34,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` [element SHALL contain when populated a]n array of zero or more certification URIs required by the Authorization Server.",SHALL,Server,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,35,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` … parameter SHALL be present if the value of the `udap_certifications_supported` parameter is not an empty array.",SHALL,Server,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,36,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `grant_types_supported` [element is] required [and SHALL contain] an array of one or more grant types supported by the Authorization Server, e.g.: +[""authorization_code"", ""refresh_token"", ""client_credentials""].",SHALL,Server,,,"1.1.03, 2.1.03","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_grant_types_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_grant_types_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,37,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"The `""refresh_token""` grant type SHALL only be included [in the `grant_types_supported` element of the server metadata] if the `""authorization_code""` grant type is also included.",SHALL,Server,,,"1.1.03, 2.1.03","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_grant_types_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_grant_types_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,38,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `authorization_endpoint` [element SHALL contain when populated a] string containing the absolute URL of the Authorization Server's authorization endpoint.",SHALL,Server,,true,"1.1.10, 2.1.10","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_authorization_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_authorization_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,39,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `authorization_endpoint` … SHALL be present if the value of the `grant_types_supported` parameter includes the string `""authorization_code""`",SHALL,Server,,true,"1.1.10, 2.1.10","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_authorization_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_authorization_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,40,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `token_endpoint` [element is] required [and SHALL contain a] string containing the absolute URL of the Authorization Server's token endpoint for UDAP JWT-Based Client Authentication.",SHALL,Server,,,"1.1.11, 2.1.11","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,41,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `token_endpoint_auth_methods_supported` [element is] required [and SHALL contain a f]ixed array with one value: [""private_key_jwt""]",SHALL,Server,,,"1.1.12, 2.1.12","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_auth_methods_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_auth_methods_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,42,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `token_endpoint_auth_signing_alg_values_supported` [element is] required [and SHALL contain an a]rray of strings identifying one or more signature algorithms supported by the Authorization Server for validation of signed JWTs submitted to the token endpoint for client authentication.",SHALL,Server,,,"1.1.13, 2.1.13","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,43,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `registration_endpoint` [element is] required [and SHALL contain a] string containing the absolute URL of the Authorization Server's registration endpoint.",SHALL,Server,,,"1.1.14, 2.1.14","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_registration_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_registration_endpoint_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,44,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `registration_endpoint_jwt_signing_alg_values_supported` [element is] recommended [to be populated].",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,45,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `registration_endpoint_jwt_signing_alg_values_supported` [element SHALL contain when populated an a]rray of strings identifying one or more signature algorithms supported by the Authorization Server for validation of signed software statements, certification, and endorsements submitted to the registration endpoint.",SHALL,Server,,true,"1.1.15, 2.1.15","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,46,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `signed_metadata` [element is] required [which SHALL contain] A string containing a JWT listing the server's endpoints",SHALL,Server,,,"1.1.16, 2.1.16","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,47,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,A server’s UDAP metadata SHALL include the signed_metadata element.,SHALL,Server,,,"1.1.16, 2.1.16","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_field",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,48,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `iss` [that is the i]ssuer of the JWT -- unique identifying server URI. This SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the server's certificate included in the `x5c` JWT header, and SHALL be equal to the server's {baseURL}",SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,49,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The `iss` claim of the JWT in the signed_metadata element] SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the server's certificate included in the `x5c` JWT header,SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,50,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The `iss` claim of the JWT in the signed_metadata element] SHALL be equal to the server's {baseURL},SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,51,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `sub` [that is the] same as `iss`.,SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,52,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `exp` [that is the] expiration time integer for this JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC).",SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,53,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,The exp time [in the Server's signed JWT] SHALL be no more than 1 year after the value of the iat claim.,SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,54,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `iat` [that is the] Issued time integer for this JWT, expressed in seconds since the ""Epoch""",SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,55,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `jti` [that is a] nonce string value that uniquely identifies this JWT.,SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,56,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,This [`jti`] value [in the Server's signed JWT] SHALL NOT be reused by the server in another JWT before the time specified in the exp claim has passed,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,57,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[In the JWT in the signed_metadata element SHALL contain, the claim] `authorization_endpoint`[is] REQUIRED if the authorization_endpoint parameter is included in the unsigned metadata",SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,58,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `token_endpoint`[which is a] string containing the absolute URL of the server's token endpoint,SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,59,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `registration_endpoint`[which is a] string containing the absolute URL of the server's registration endpoint,SHALL,Server,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,60,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[A] client application MAY add the optional query parameter `community` to the metadata request URL described in [Section 2.1](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints) to indicate that it trusts certificates issued by the community identified by the parameter value.,MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,62,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports [the `community`] parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community, if it has been issued such a certificate, and use that certificate when generating the signed JWT returned for the `signed_metadata` element. ",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,63,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports different UDAP capabilities for different communities, it MAY also return different values for other metadata elements described in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata) as appropriate for the identified community.",MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,64,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, it MAY return a `404 Not Found` response to the metadata request to indicate that no UDAP workflows are supported by server in the context of that community, or it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,65,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, .. it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,66,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data. ",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,67,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.,SHALL,Client,,,NA,NA,"3.02, 3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,68,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Authorization Servers SHALL support dynamic registration as specified in the [UDAP Dynamic Client Registration](https://www.udap.org/udap-dynamic-client-registration-stu1.html) profile with the additional options and constraints defined in this guide.,SHALL,Server,,,"1.2, 2.2","udap_security-udap_authorization_code_group-auth_code_dcr_group, udap_security-udap_client_credentials_group-client_creds_dcr_group",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,69,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a `client_id`,SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,70,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Other [non-Confidential] client types SHOULD follow the manual registration processes for each Authorization Server.,SHOULD,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,71,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"To register dynamically, the client application first [SHALL] construct ... a software statement as per [section 2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-2) of UDAP Dynamic Client Registration.",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,72,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL contain the required header elements specified in [Section 1.2.3](https://hl7.org/fhir/us/udap-security/STU1/index.html#jwt-headers) of this guide,SHALL,Client,"hl7.fhir.us.udap-security_1.0.0@7,8",,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,73,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL be signed by the client application operator using the signature algorithm identified in the `alg` header of the software statement,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,74,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL be signed by the client application operator using ... the private key that corresponds to the public key listed in the client’s X.509 certificate identified in the`x5c` header of the software statement.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,75,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `iss` [is] `required` [and] SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the client's certificate included in the `x5c` JWT header,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,76,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `sub` [is] `required`[and is the s]ame as `iss`.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,77,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `aud` [is] `required`[and is the] Authorization Server's ""registration URL"" ",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,78,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `exp` [is] `required`[and is the] Expiration time integer for this software statement, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC). The exp time SHALL be no more than 5 minutes after the value of the iat claim.",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,79,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `exp`... SHALL be no more than 5 minutes after the value of the `iat` claim.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,80,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `iat` [is] `required`[and is the] Issued time integer for this software statement, expressed in seconds since the ""Epoch""",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,81,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` [is] `required`[and is a] nonce string value that uniquely identifies this software statement.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,83,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `client_name` [is] `required`[and is a] string containing the human readable name of the client application,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,84,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be present if grant_types includes `authorization_code`,SHALL,Client,,,NA,NA,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,85,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be absent [if the `grant_types` claim does not include `authorization_code`]. ,SHALL,Client,,,NA,NA,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,86,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `contacts` [is] `required`[and is the ] array of URI strings indicating how the data holder can contact the app operator regarding the application.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,87,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `contacts` … SHALL contain at least one valid email address using the mailto scheme,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,88,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri`... If `grant_types` includes ""authorization_code"", client applications SHALL include this field",SHALL,Client,,,NA,NA,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,89,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,Authorization Server[s] MAY display this logo [provided in the `logo_uri` claim of a registered software statement for a client] to the user during the authorization process.,MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,90,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri` … [t]he URL SHALL use the https scheme,SHALL,Client,,,NA,NA,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,91,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri` … [t]he URL SHALL ... reference a PNG, JPG, or GIF image file, e.g. ""https://myapp.example.com/MyApp.png""",SHALL,Client,,,NA,NA,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,92,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `grant_types` [is] `required`[and SHALL include either ""authorization_code"" or ""client_credentials"" but not both. The value ""refresh_token"" SHALL NOT be present in the array unless ""authorization_code"" is also present.",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,93,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` [SHALL be present i]f `grant_types` contains ""authorization_code""",SHALL,Client,,,NA,NA,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,94,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` ... SHALL have a fixed value of `[""code""]` [when populated]. ",SHALL,Client,,,NA,NA,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,95,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` [i]f `grant_types` [does not] contain ""authorization_code"", then this element ... SHALL be omitted. ",SHALL,Client,,,NA,NA,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,96,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `token_endpoint_auth_method` [is] `required` [and SHALL contain] Fixed string value: ""private_key_jwt""",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,97,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `scope` [is] `required` [and SHALL contain] a space delimited list of scopes requested by the client application for use in subsequent requests.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,98,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The Authorization Server MAY consider this list [of scopes provided in the registration software statement] when deciding the scopes that it will allow the application to subsequently request.,MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,99,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration] for client apps that also support the SMART App Launch framework: apps requesting the ""client_credentials"" grant type SHOULD request system scopes;",SHOULD,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,100,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration] for client apps that also support the SMART App Launch framework: ... apps requesting the ""authorization_code"" grant type SHOULD request user or patient scopes.",SHOULD,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,101,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL match the uriName entry in the Subject Alternative Name extension of the client app operator’s X.509 certificate,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,102,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL ... uniquely identify a single client app operator and application over time.,SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,103,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the `aud` claim SHALL list the URL of the OAuth Server’s registration endpoint",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,104,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, … the lifetime of the software statement (`exp` minus `iat`) SHALL be 5 minutes.",SHALL,Client,,,NA,NA,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,105,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,The Authorization Server SHALL validate the registration request as per [Section 4](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4) of UDAP Dynamic Client Registration. ,SHALL,Server,,,"1.2, 2.2","udap_security-udap_authorization_code_group-auth_code_dcr_group, udap_security-udap_client_credentials_group-client_creds_dcr_group",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,106,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he iss value MUST match a uriName entry in the Subject Alternative Names extension of the Client’s certificate.,SHALL,Server,,,"1.2.01, 2.2.01","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,107,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he sub value MUST match the iss value,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,108,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he aud value MUST contain the Authorization Server’s registration endpoint URL,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,110,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"If a new registration is successful, the Authorization Server SHALL return a registration response with a `201 Created` HTTP response code as per [Section 5.1](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1) of UDAP Dynamic Client Registration",SHALL,Server,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,111,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"[When responding to an authorization request that has been granted] 5.1 The top-level elements of the response SHALL include the client_id issued by the Authorization Server for use by the Client App, the software statement as submitted by the Client App, and all of the registration related parameters that were included in the software statement",SHALL,Server,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,113,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is successful, the Authorization Server SHALL return a registration response ... including the unique `client_id` assigned by the Authorization Server to that client app.",SHALL,Server,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,114,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per [Section 5.2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.2) of UDAP Dynamic Client Registration.",SHALL,Server,,,"1.2.01, 1.2.02, 2.2.01, 2.2.02","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_jwt_signature, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_jwt_signature",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,117,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers MAY require registration requests to include one or more certifications.,MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,118,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,"If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the `udap_certifications_required` element of its UDAP metadata.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,119,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement containing the same `iss` value as an earlier software statement but with a different set of claims or claim values, or with a different (possibly empty) set of optional certifications and endorsements, the server SHALL treat this as a request to modify the registration parameters for the client application by replacing the information from the previous registration request with the information included in the new request.",SHALL,Server,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,120,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the registration modification request is accepted, the Authorization Server SHOULD return the same `client_id` in the registration response as for the previous registration.",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,121,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If it returns a different `client_id` [in response to a registration modification request], it SHALL cancel the registration for the previous `client_id`.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,122,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement that contains an empty `grant_types` array from a previously registered application, the server SHOULD interpret this as a request to cancel the previous registration.",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,124,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns the same client_id in the registration response for a modification request, it SHOULD also return a `200 OK` HTTP response code.",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,125,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns a new `client_id` in the registration response, the client application SHALL use only the new `client_id` in subsequent transactions with the Authorization Server.",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,126,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#consumer-facing,"Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow,",SHALL,Client,,,NA,NA,3,udap_security_client-udap_client_access_ac +hl7.fhir.us.udap-security_1.0.0_reqs,127,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,"Client applications SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,",SHALL,Client,mailto:hl7.fhir.us.udap-security_1.0.0@%20128-129,,NA,NA,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification +hl7.fhir.us.udap-security_1.0.0_reqs,128,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,"[When] The client constructs the request URI … the … parameter.. `response_type` [is] `required`[and the] value MUST be set to ""code"" ",SHALL,Client,,,NA,NA,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification +hl7.fhir.us.udap-security_1.0.0_reqs,129,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,[When] The client constructs the request URI … the … parameter.. `client_id` [is] `required`… [and is t]he client identifier as described in [Section 2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2).,SHALL,Client,,,NA,NA,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification +hl7.fhir.us.udap-security_1.0.0_reqs,130,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope.,MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,131,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications .. MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,132,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,[S]ervers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,JUNE,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,133,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2) of RFC 6749.,SHALL,Server,mailto:hl7.fhir.us.udap-security_1.0.0_reqs@134-139,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,134,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request ]if the resource owner grants the access request… the `code` parameter [is] `REQUIRED`,SHALL,Server,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks. ,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request ",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,138,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"[When responding to an authorization request i]f the resource owner grants the access request… the `state` parameter [is] `REQUIRED`if the ""state"" parameter was present in the client authorization request",SHALL,Server,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,140,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token,"Client applications SHALL exchange authorization codes for access tokens as per [Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) of RFC 6749, ",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,141,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When] the client makes a request to the token endpoint… the `grant_type` [parameter is] `REQUIRED`[and the] Value MUST be set to ""authorization_code""",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,142,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `code` [parameter is] `REQUIRED`[and is] the authorization code received from the authorization server,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,143,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When t]he client makes a request to the token endpoint… the `redirect_uri` [parameter is] `REQUIRED`...if the ""redirect_uri"" parameter was included in the authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their values MUST be identical.",SHALL,Client,mailto:hl7.fhir.us.udap-security_1.0.0@%20128-129,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,145,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,151,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide.",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,152,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,153,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests]the `iss` parameter [is] `required` [and is t]he application's `client_id` as assigned by the Authorization Server during the registration process,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,154,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `sub` parameter [is] `required` [and is t]he application's `client_id` as assigned by the Authorization Server during the registration process,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,155,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `aud` parameter [is] `required` [and is] the FHIR Authorization Server's token endpoint URL,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,156,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `exp` parameter [is] `required` [and is the e]xpiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC)",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,157,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `iat` parameter [is] `required` [and is the i]ssued time integer for this authentication JWT, expressed in seconds since the ""Epoch""",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,158,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `jti` parameter [is] `required` [and is a] nonce string value that uniquely identifies this authentication ,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,160,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of `exp` minus the value of `iat` SHALL NOT exceed 300 seconds.",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,161,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,The Authentication Token SHALL be signed and serialized using the JSON compact serialization method..,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,mailto:hl7.fhir.us.udap-security_1.0.0@141-150,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,163,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client applications authenticating with a private key and Authentication Token as per Section [4.2.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the [token request]... parameters as per Section 5.1 of UDAP JWT-Based Client Authentication,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,165,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `grant_type` [parameter is] `required`[and SHALL contain the f]ixed value: `authorization_code`,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,166,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `code` [parameter is] `required`[and SHALL contain the] code that the app received from the Authorization Server,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,167,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"[When authenticating with a private key and Authentication Token] the `redirect_uri` [parameter is] `conditional`… SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1,",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,168,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `redirect_uri` values SHALL be identical [with those sent on the authorization request].,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,169,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `client_assertion_type` [parameter is] `required`[and SHALL contain the] fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,170,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `client_assertion` [parameter is] `required`[and SHALL contain the] signed Authentication Token JWT,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,171,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `udap` [parameter is] `required`[and SHALL contain a f]ixed value: 1,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,mailto:hl7.fhir.us.udap-security_1.0.0@173-183,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,175,https://www.udap.org/udap-jwt-client-auth.html,[For the Authorization Server to validate the Client App’s request] the Client MUST include its own certificate [in the x5c parameter of the JOSE header on AnTs in token requests],SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,177,https://www.udap.org/udap-jwt-client-auth.html,"[When validating the Client App’s request t]he iss and sub values MUST correspond to a registered client ID that is permitted to authenticate using an AnT and whose registration is bound to a uniformResourceIdentifier entry in the Subject Alternative Names extension of the Client’s certificate, e.g. via UDAP Dynamic Client Registration",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,178,https://www.udap.org/udap-jwt-client-auth.html,"[When validating the Client App’s request] If the request contains a client_id parameter, the client_id value MUST match the iss and sub values",SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,179,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] The aud value MUST contain the AS’s token endpoint URI,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,180,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] the AnT MUST be unexpired. ,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,181,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] A maximum AnT lifetime of 5 minutes is RECOMMENDED,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value. ,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes. +",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,185,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,B2B client applications registered to use the authorization code grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow described in [Section 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) of RFC 6749,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,186,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,Client applications registered to use the client credentials grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 client credentials grant flow described in [Section 4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) of RFC 6749,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,mailto:hl7.fhir.us.udap-security_1.0.0@128-129,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,190,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2).,SHALL,Server,mailto:hl7.fhir.us.udap-security_1.0.0@134-139,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received",NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,192,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,"The client SHALL use its private key to sign an Authentication Token..., and include this JWT in the `client_assertion` parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in [Section 5.2.2](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request) of this guide",SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,193,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `sub` claim [is] `required`. ,SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,194,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `aud` claim [is] `required`. ,SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,195,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `exp` claim [is] `required`. ,SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,196,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `iat` claim [is] `required`. ,SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,197,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `jti` claim [is] `required`. ,SHALL,Client,,,NA,NA,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" +hl7.fhir.us.udap-security_1.0.0_reqs,198,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and] The HL7 B2B Authorization Extension Object ...is required for B2B client apps using the client_credentials flow,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,202,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `version` [is] `required` [with a] String with fixed value: ""1""",SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. ,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors ,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client, Trust Community",,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,209,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] For US Realm, trust communities SHOULD constrain the allowed values and formats [for the value `subject_role`] and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set",SHOULD,Trust Community,,,NA,NA,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,210,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` [and is a] string containing the human readable name of the organizational requestor. If a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,211,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` … if a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,212,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] SHALL be a Uniform Resource Identifier (URI). ,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client, Trust Community",,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,214,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required`... If a URL is used, the issuer SHALL include a URL that is resolvable by the receiving party.",SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,215,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `purpose_of_use` [is] `required`.,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,216,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] For US Realm, trust communities SHOULD constrain the allowed [`purpose_of_use`] values, and are encouraged to draw from the HL7 [PurposeOfUse](http://terminology.hl7.org/ValueSet/v3-PurposeOfUse) value set ",SHOULD,Trust Community,,,NA,NA,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,217,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_policy` [is] `optional`[and SHALL contain] an array of one or more strings, each containing a URI identifiying a privacy consent directive policy or other policy consistent with the value of the purpose_of_use parameter.",MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,218,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and SHALL contain a]n array of one or more strings, each containing an absolute URL consistent with a [literal reference](https://www.hl7.org/fhir/R4/references.html#literal) to a FHIR [Consent](https://www.hl7.org/fhir/R4/consent.html) or [DocumentReference](https://www.hl7.org/fhir/R4/documentreference.html) resource containing or referencing a privacy consent directive relevant to a purpose identified by the `purpose_of_use` parameter and the policy or policies identified by the `consent_policy` parameter.",MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,,true,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party. ",SHALL,Client,,true,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,222,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request,Client applications using the authorization code grant and authenticating with a private key and Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,223,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.2 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,225,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `grant_type` parameter [is] `required` [and SHALL contain f]ixed value: `client_credentials`,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,226,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion_type` parameter [is] `required` [and SHALL contain f]ixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,227,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion` parameter [is] `required` [and SHALL contain] the signed Authentication Token JWT,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,228,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `udap` parameter [is] `required` [and SHALL contain] fixed value: `1`,SHALL,Client,,,NA,NA,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification +hl7.fhir.us.udap-security_1.0.0_reqs,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,230,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Authorization Servers MAY issue refresh tokens to B2B [and consumer-facing] client applications that use the authorization code grant type as per [Section 5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5),MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,231,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Client apps that have been issued refresh tokens MAY make refresh requests to the token endpoint as per [Section 6 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-6). ,MAY,Client ,hl7.fhir.us.udap-security_1.0.0@232-233,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,232,https://datatracker.ietf.org/doc/html/rfc6749#section-6,"[When requesting a refresh token] the `grant_type` [parameter is] REQUIRED [and the ] Value MUST be set to ""refresh_token""",SHALL,Client ,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,233,https://datatracker.ietf.org/doc/html/rfc6749#section-7,[When requesting a refresh token] the `refresh_token` [parameter is] REQUIRED [and is ] The refresh token issued to the client,SHALL,Client ,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,234,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,"Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests [i.e., include the client_assertion_type and client_assertion fields as in the token request]",SHALL,Client ,,,NA,NA,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification +hl7.fhir.us.udap-security_1.0.0_reqs,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client ,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client ,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide. +",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,240,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP, the data holder MAY reject the client app’s authorization request",MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,hl7.fhir.us.udap-security_1.0.0@241,true,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,243,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP ... the data holder MAY attempt to authenticate the user with a different trusted IdP or its own IdP, and MAY interact with the user to determine a suitable alternative",MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,244,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[When authenticating the user a] client app that receives an error code of `invalid_idp` MAY attempt to obtain authorization again by specifying a different IdP base URL in the `idp` authorization request parameter, or by making a new authorization request without using the Tiered OAuth workflow.",MAY,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html). ",SHALL,Server,hl7.fhir.us.udap-security_1.0.0@246-255,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint. ,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent. ,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,252,https://www.udap.org/udap-user-auth-stu1.html,"[When UDAP Tiered OAuth for User Authentication is being requested] If... [the “openid” and “udap”] scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow.",SHOULD NOT,server ,,,NA,NA,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server ,,,NA,NA,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter ,SHALL,server ,,,NA,NA,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server ,,,NA,NA,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`. ,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,hl7.fhir.us.udap-security_1.0.0@258-278,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. ",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,263,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When an id_token_hint is present [on an authentication request], the OP MUST validate that it was the issuer of the ID Token. ",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client ,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client ,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client ,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,hl7.fhir.us.udap-security_1.0.0@280-290,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,,true,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,NA,NA,, +hl7.fhir.us.udap-security_1.0.0_reqs,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication. ,SHALL NOT,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients. ",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,289,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ... + +Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,290,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ... + +Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication ",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,292,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"When an ID Token has been returned and validated, the data holder SHOULD use the ID Token to attempt to match the authenticated user to a user or role in its own system, as appropriate for the resources requested.",SHOULD,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,293,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"the data holder can attempt to map the pair (`iss`,`sub`) to a known users in the data holder’s system.",MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,294,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication," If the data holder has previously performed this mapping or has otherwise bound the pair (`iss`,`sub`) to a local user or role, it MAY rely on this previous mapping for subsequent authentications",JUNE,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,295,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,the data holder MAY interact with the user following the redirection from the IdP back to the data holder’s redirection URI to increase confidence in the [role] resolution process.,MAY,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,,NA,NA +hl7.fhir.us.udap-security_1.0.0_reqs,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,,NA,NA diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb new file mode 100644 index 0000000..bfea1c8 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class AuthorizationCodeUsageAttestationTest < Inferno::Test + title 'Authorization code is used correctly' + id :udap_security_client_auth_code_usage + description %( + Client applications SHALL use the authorization code correctly by: + - Ensuring the authorization code is not used more than once. + - Requesting an authorization code as per Section 4.1.1 of RFC 6749. + ) + verifies_requirements 'hl7.fhir.us.udap-security@136', + 'hl7.fhir.us.udap-security@188' + + input :authorization_code_usage_correctly, + title: "Authorization code is used correctly", + description: %( + I attest that the client application uses the authorization code correctly by: + - Ensuring the authorization code is not used more than once. + - Requesting an authorization code as per Section 4.1.1 of RFC 6749. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :authorization_code_usage_correctly_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert authorization_code_usage_correctly == 'true', + 'Client application did not demonstrate correct usage of the authorization code.' + pass authorization_code_usage_correctly_note if authorization_code_usage_correctly_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb new file mode 100644 index 0000000..74fdfac --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -0,0 +1,136 @@ +module UDAPSecurityTestKit + class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test + title 'B2B Authorization Extension Object Compliance' + id :udap_security_b2b_authorization_extension_object + description %( + Client applications SHALL comply with the requirements for the B2B Authorization Extension Object: + - `subject_name` SHALL be required if known for human or non-human requestors. + - `subject_id` SHALL be required if known for human requestors when `subject_name` is present. + - `subject_id` SHALL be the National Provider Identifier (NPI) for US Realm human requestors. + - `subject_id` SHALL be omitted for non-human requestors or requestors without an NPI. + - `consent_reference` SHALL include resolvable URLs and SHALL be omitted if `consent_policy` is not present. + ) + verifies_requirements 'hl7.fhir.us.udap-security@203', + 'hl7.fhir.us.udap-security@204', + 'hl7.fhir.us.udap-security@205', + 'hl7.fhir.us.udap-security@206', + 'hl7.fhir.us.udap-security@207', + 'hl7.fhir.us.udap-security@219', + 'hl7.fhir.us.udap-security@220', + 'hl7.fhir.us.udap-security@221' + + input :subject_name_compliance, + title: "Client application includes `subject_name` if known", + description: %( + I attest that the client application includes the `subject_name` parameter if it is known for human or non-human requestors. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :subject_name_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :subject_id_compliance, + title: "Client application includes `subject_id` for human requestors when `subject_name` is present", + description: %( + I attest that the client application includes the `subject_id` parameter for human requestors when the `subject_name` parameter is present. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :subject_id_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :subject_id_npi_compliance, + title: "Client application uses NPI for `subject_id` in US Realm human requestors", + description: %( + I attest that the client application uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :subject_id_npi_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :consent_reference_compliance, + title: "Client application ensures `consent_reference` URLs are resolvable", + description: %( + I attest that the client application ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party and omits `consent_reference` if `consent_policy` is not present. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :consent_reference_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert subject_name_compliance == 'true', + 'Client application did not include `subject_name` when it was known.' + pass subject_name_compliance_note if subject_name_compliance_note.present? + + assert subject_id_compliance == 'true', + 'Client application did not include `subject_id` for human requestors when `subject_name` was present.' + pass subject_id_compliance_note if subject_id_compliance_note.present? + + assert subject_id_npi_compliance == 'true', + 'Client application did not use NPI for `subject_id` for human requestors in the US Realm.' + pass subject_id_npi_compliance_note if subject_id_npi_compliance_note.present? + + assert consent_reference_compliance == 'true', + 'Client application did not ensure `consent_reference` URLs were resolvable or omitted `consent_reference` when `consent_policy` was not present.' + pass consent_reference_compliance_note if consent_reference_compliance_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb new file mode 100644 index 0000000..108fe80 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb @@ -0,0 +1,101 @@ +module UDAPSecurityTestKit + class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test + title 'Client Security and CSRF Protection Compliance' + id :udap_security_client_security_csrf_protection + description %( + Client applications SHALL comply with the requirements for Client Security and CSRF Protection: + - Implement CSRF protection for its redirection URI. + - Use a binding value for CSRF protection that contains a non-guessable value. + - Ensure the user-agent's authenticated state is accessible only to the client and user-agent, protected by the same-origin policy. + ) + verifies_requirements 'hl7.fhir.us.udap-security@275', + 'hl7.fhir.us.udap-security@276', + 'hl7.fhir.us.udap-security@277' + + input :csrf_protection_implementation, + title: "Client application implements CSRF protection for its redirection URI", + description: %( + I attest that the client application implements CSRF protection for its redirection URI to prevent cross-site request forgery attacks. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :csrf_protection_implementation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :csrf_binding_value_compliance, + title: "Client application uses a non-guessable binding value for CSRF protection", + description: %( + I attest that the client application uses a binding value for CSRF protection that contains a non-guessable value to ensure security. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :csrf_binding_value_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :authenticated_state_protection, + title: "Client application ensures authenticated state is protected by same-origin policy", + description: %( + I attest that the client application ensures the user-agent's authenticated state is stored in a location accessible only to the client and user-agent, protected by the same-origin policy. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :authenticated_state_protection_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert csrf_protection_implementation == 'true', + 'Client application did not implement CSRF protection for its redirection URI.' + pass csrf_protection_implementation_note if csrf_protection_implementation_note.present? + + assert csrf_binding_value_compliance == 'true', + 'Client application did not use a non-guessable binding value for CSRF protection.' + pass csrf_binding_value_compliance_note if csrf_binding_value_compliance_note.present? + + assert authenticated_state_protection == 'true', + 'Client application did not ensure the user-agent\'s authenticated state is protected by the same-origin policy.' + pass authenticated_state_protection_note if authenticated_state_protection_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb new file mode 100644 index 0000000..fcdcaf0 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class IdPSupportsRequiredScopesAttestationTest < Inferno::Test + title 'IdP supports required scopes' + id :udap_security_idp_supports_scopes + description %( + Identity Providers (IdPs) SHALL include `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. + ) + verifies_requirements 'hl7.fhir.us.udap-security@235' + + input :idp_supports_required_scopes, + title: "IdP supports required scopes", + description: %( + I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_supports_required_scopes_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert idp_supports_required_scopes == 'true', + 'Identity Provider (IdP) did not demonstrate support for required scopes.' + pass idp_supports_required_scopes_note if idp_supports_required_scopes_note.present? + end + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb new file mode 100644 index 0000000..3abb2fa --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class JTIReusePreventionAttestationTest < Inferno::Test + title 'Client prevents reuse of JTI values in authentication tokens' + id :udap_security_jti_reuse_prevention + description %( + Client applications SHALL prevent reuse of JTI values in authentication tokens by: + - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. + ) + verifies_requirements 'hl7.fhir.us.udap-security@159' + + input :jti_reuse_prevention_correctly, + title: "Client prevents reuse of JTI values in authentication tokens", + description: %( + I attest that the client application prevents reuse of JTI values in authentication tokens by: + - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :jti_reuse_prevention_correctly_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jti_reuse_prevention_correctly == 'true', + 'Client application did not demonstrate prevention of JTI reuse in authentication tokens.' + pass jti_reuse_prevention_correctly_note if jti_reuse_prevention_correctly_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb new file mode 100644 index 0000000..d9e433d --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class MetadataInterpretationAttestationTest < Inferno::Test + title 'Client interprets metadata correctly' + id :udap_security_metadata_interpretation + description %( + Client applications SHALL interpret metadata correctly by: + - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. + - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. + ) + verifies_requirements 'hl7.fhir.us.udap-security@20', + 'hl7.fhir.us.udap-security@21' + + input :interprets_metadata_correctly, + title: "Interprets metadata correctly", + description: %( + I attest that the client application interprets metadata correctly by: + - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. + - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :interprets_metadata_correctly_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert interprets_metadata_correctly == 'true', + 'Client application did not demonstrate correct interpretation of metadata.' + pass interprets_metadata_correctly_note if interprets_metadata_correctly_note.present? + end + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb new file mode 100644 index 0000000..f430118 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class PreferredIdentityProviderAttestationTest < Inferno::Test + title 'Client indicates preferred Identity Provider' + id :udap_security_preferred_idp + description %( + Client applications SHALL indicate the preferred Identity Provider (IdP) to the data holder by: + - Adding `udap` to the list of scopes provided in the `scope` query parameter. + - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. + ) + verifies_requirements 'hl7.fhir.us.udap-security@236', + 'hl7.fhir.us.udap-security@237' + + input :indicates_preferred_idp, + title: "Client indicates preferred Identity Provider", + description: %( + I attest that the client application indicates the preferred Identity Provider (IdP) to the data holder by: + - Adding `udap` to the list of scopes provided in the `scope` query parameter. + - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :indicates_preferred_idp_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert indicates_preferred_idp == 'true', + 'Client application did not demonstrate correct indication of the preferred Identity Provider.' + pass indicates_preferred_idp_note if indicates_preferred_idp_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb new file mode 100644 index 0000000..808e7ee --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb @@ -0,0 +1,43 @@ +module UDAPSecurityTestKit + class PrivateKeyAuthenticationAttestationTest < Inferno::Test + title 'Client uses private key authentication correctly' + id :udap_security_private_key_authentication + description %( + Client applications SHALL use private key authentication correctly by: + - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. + ) + verifies_requirements 'hl7.fhir.us.udap-security@164', + 'hl7.fhir.us.udap-security@224' + + input :private_key_authentication_correctly, + title: "Client uses private key authentication correctly", + description: %( + I attest that the client application uses private key authentication correctly by: + - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :private_key_authentication_correctly_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert private_key_authentication_correctly == 'true', + 'Client application did not demonstrate correct private key authentication.' + pass private_key_authentication_correctly_note if private_key_authentication_correctly_note.present? + end + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb new file mode 100644 index 0000000..ed22f68 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb @@ -0,0 +1,101 @@ +module UDAPSecurityTestKit + class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test + title 'Scopes and Identity Provider Interaction Compliance' + id :udap_security_scopes_identity_provider_interaction + description %( + Client applications SHALL comply with the requirements for Scopes and Identity Provider Interaction: + - The client app indicates the preferred Identity Provider by adding `udap` to the list of scopes in the `scope` query parameter. + - The `scope` query parameter of the authentication request SHALL contain at least the values `openid` and `udap`. + - The Identity Provider SHALL authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications. + ) + verifies_requirements 'hl7.fhir.us.udap-security@236', + 'hl7.fhir.us.udap-security@256', + 'hl7.fhir.us.udap-security@257' + + input :scope_includes_udap, + title: "Client application includes `udap` in the `scope` query parameter", + description: %( + I attest that the client application includes `udap` in the list of scopes provided in the `scope` query parameter to indicate the preferred Identity Provider. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :scope_includes_udap_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :scope_contains_openid_udap, + title: "Client application ensures `scope` query parameter contains `openid` and `udap`", + description: %( + I attest that the client application ensures the `scope` query parameter of the authentication request contains at least the values `openid` and `udap`. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :scope_contains_openid_udap_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :idp_authentication_compliance, + title: "Identity Provider authenticates user as per OIDC Core and UDAP Tiered OAuth specifications", + description: %( + I attest that the Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_authentication_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert scope_includes_udap == 'true', + 'Client application did not include `udap` in the `scope` query parameter to indicate the preferred Identity Provider.' + pass scope_includes_udap_note if scope_includes_udap_note.present? + + assert scope_contains_openid_udap == 'true', + 'Client application did not ensure the `scope` query parameter contains at least `openid` and `udap`.' + pass scope_contains_openid_udap_note if scope_contains_openid_udap_note.present? + + assert idp_authentication_compliance == 'true', + 'Identity Provider did not authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications.' + pass idp_authentication_compliance_note if idp_authentication_compliance_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb new file mode 100644 index 0000000..89bd086 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb @@ -0,0 +1,71 @@ +module UDAPSecurityTestKit + class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test + title 'Software Statement and Registration Compliance' + id :udap_security_software_statement_registration + description %( + Client applications SHALL comply with the requirements for Software Statement and Registration: + - The `jti` claim in the JWT SHALL NOT be reused before the `exp` claim has passed. + - A registration response with an empty `grant_types` array SHALL be interpreted as a cancellation of the `client_id` registration by the Authorization Server. + ) + verifies_requirements 'hl7.fhir.us.udap-security@82', + 'hl7.fhir.us.udap-security@123' + + input :jti_reuse_compliance, + title: "Client application does not reuse the `jti` claim before the `exp` claim has passed", + description: %( + I attest that the client application ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :jti_reuse_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :grant_types_empty_array_compliance, + title: "Client application interprets empty `grant_types` array as registration cancellation", + description: %( + I attest that the client application interprets a registration response containing an empty `grant_types` array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :grant_types_empty_array_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jti_reuse_compliance == 'true', + 'Client application reused the `jti` claim before the `exp` claim has passed.' + pass jti_reuse_compliance_note if jti_reuse_compliance_note.present? + + assert grant_types_empty_array_compliance == 'true', + 'Client application did not interpret an empty `grant_types` array as registration cancellation.' + pass grant_types_empty_array_compliance_note if grant_types_empty_array_compliance_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb new file mode 100644 index 0000000..b3eff09 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class TokenRequestAuthenticationAttestationTest < Inferno::Test + title 'Client authenticates correctly when making token requests' + id :udap_security_token_request_authentication + description %( + Client applications SHALL authenticate correctly when making token requests by: + - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. + - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. + ) + verifies_requirements 'hl7.fhir.us.udap-security@144', + 'openid.connect.core@280' + + input :token_request_authentication_correctly, + title: "Client authenticates correctly when making token requests", + description: %( + I attest that the client application authenticates correctly when making token requests by: + - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. + - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :token_request_authentication_correctly_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert token_request_authentication_correctly == 'true', + 'Client application did not demonstrate correct authentication during token requests.' + pass token_request_authentication_correctly_note if token_request_authentication_correctly_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb new file mode 100644 index 0000000..3cfe5cf --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb @@ -0,0 +1,41 @@ +module UDAPSecurityTestKit + class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test + title 'Trust Community and Query Parameters Compliance' + id :udap_security_trust_community_query_parameters + description %( + Client applications SHALL comply with the requirements for Trust Community and Query Parameters: + - When the client adds the `community` query parameter, the value SHALL be a URI as determined by the trust community. + ) + verifies_requirements 'hl7.fhir.us.udap-security@61' + + input :community_query_parameter_compliance, + title: "Client application ensures `community` query parameter value is a valid URI", + description: %( + I attest that the client application ensures the value of the `community` query parameter is a valid URI as determined by the trust community. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :community_query_parameter_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert community_query_parameter_compliance == 'true', + 'Client application did not ensure the `community` query parameter value is a valid URI as determined by the trust community.' + pass community_query_parameter_compliance_note if community_query_parameter_compliance_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb new file mode 100644 index 0000000..204c84d --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb @@ -0,0 +1,71 @@ +module UDAPSecurityTestKit + class ValidationAndConfidentialityAttestationTest < Inferno::Test + title 'Validation and Confidentiality Compliance' + id :udap_security_validation_confidentiality + description %( + Client applications SHALL comply with the requirements for Validation and Confidentiality: + - Validate the `state` parameter returned by the Resource Holder in response to an authorization request. + - Ensure confidentiality of client passwords and other client credentials. + ) + verifies_requirements 'hl7.fhir.us.udap-security@274', + 'hl7.fhir.us.udap-security@286' + + input :state_parameter_validation, + title: "Client application validates the `state` parameter returned by the Resource Holder", + description: %( + I attest that the client application validates the `state` parameter returned by the Resource Holder in response to an authorization request to ensure it matches the value sent in the original request. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :state_parameter_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + input :client_credentials_confidentiality, + title: "Client application ensures confidentiality of client passwords and credentials", + description: %( + I attest that the client application ensures confidentiality of client passwords and other client credentials by securely storing and transmitting them. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :client_credentials_confidentiality_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert state_parameter_validation == 'true', + 'Client application did not validate the `state` parameter returned by the Resource Holder.' + pass state_parameter_validation_note if state_parameter_validation_note.present? + + assert client_credentials_confidentiality == 'true', + 'Client application did not ensure confidentiality of client passwords and other client credentials.' + pass client_credentials_confidentiality_note if client_credentials_confidentiality_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb new file mode 100644 index 0000000..109b2af --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb @@ -0,0 +1,39 @@ +require_relative 'client/authorization_code_usage_test' +require_relative 'client/b2b_authorization_extension_object_test' +require_relative 'client/client_security_csrf_protection_test' +require_relative 'client/idp_supports_required_scopes_test' +require_relative 'client/jti_reuse_prevention_test' +require_relative 'client/metadata_interpretation_test' +require_relative 'client/preferred_identity_provider_test' +require_relative 'client/private_key_authentication_test' +require_relative 'client/scopes_identity_provider_interaction_test' +require_relative 'client/software_statement_registration_test' +require_relative 'client/token_request_authentication_test' +require_relative 'client/trust_community_query_parameters_test' +require_relative 'client/validation_confidentiality_test' + +module UDAPSecurityTestKit + class ClientAttestationGroup < Inferno::TestGroup + id :udap_client_v100_visual_inspection_and_attestation + title 'Visual Inspection and Attestation' + + description <<~DESCRIPTION + Perform visual inspections or attestations to ensure that the Client is conformant to the UDAP IG requirements. + DESCRIPTION + + run_as_group + test from: :udap_security_client_auth_code_usage + test from: :udap_security_idp_supports_scopes + test from: :udap_security_jti_reuse_prevention + test from: :udap_security_metadata_interpretation + test from: :udap_security_preferred_idp + test from: :udap_security_private_key_authentication + test from: :udap_security_token_request_authentication + test from: :udap_security_software_statement_registration + test from: :udap_security_b2b_authorization_extension_object + test from: :udap_security_client_security_csrf_protection + test from: :udap_security_scopes_identity_provider_interaction + test from: :udap_security_validation_confidentiality + test from: :udap_security_trust_community_query_parameters + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb new file mode 100644 index 0000000..34c652e --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb @@ -0,0 +1,15 @@ +require_relative 'authorization_code_token_requests_group/authorization_code_usage_test' +require_relative 'authorization_code_token_requests_group/access_token_request_validation_test' +require_relative 'authorization_code_token_requests_group/access_token_lifetime_test' + +module UDAPSecurityTestKit + class AuthorizationCodeTokenRequestsAttestationGroup < Inferno::TestGroup + id :udap_server_v100_authorization_code_token_requests_group + title 'Authorization Code and Token Requests' + + run_as_group + test from: :udap_security_auth_code_usage + test from: :udap_security_access_token_request_validation + test from: :udap_security_access_token_lifetime + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb new file mode 100644 index 0000000..717d1aa --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class AccessTokenLifetimeAttestationTest < Inferno::Test + title 'Access tokens have a lifetime of no longer than 60 minutes' + id :udap_security_access_token_lifetime + description %( + The Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes for all successful token requests. + ) + verifies_requirements 'hl7.fhir.us.udap-security@184' + + input :access_token_lifetime_correct, + title: "Access tokens have a lifetime of no longer than 60 minutes", + description: %( + I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful token requests. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :access_token_lifetime_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert access_token_lifetime_correct == 'true', + 'Authorization Server did not issue access tokens with a lifetime no longer than 60 minutes.' + pass access_token_lifetime_note if access_token_lifetime_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb new file mode 100644 index 0000000..5982369 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb @@ -0,0 +1,51 @@ +module UDAPSecurityTestKit + class AccessTokenRequestValidationAttestationTest < Inferno::Test + title 'Access token request is validated correctly' + id :udap_security_access_token_request_validation + description %( + The Authorization Server SHALL validate access token requests by: + - Requiring client authentication for confidential clients or clients issued credentials. + - Authenticating the client if client authentication is included. + - Verifying that the authorization code is valid. + - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request. + ) + verifies_requirements 'hl7.fhir.us.udap-security@146', + 'hl7.fhir.us.udap-security@147', + 'hl7.fhir.us.udap-security@149', + 'hl7.fhir.us.udap-security@150' + + input :access_token_request_validation_correct, + title: "Access token request is validated correctly", + description: %( + I attest that the Authorization Server validates access token requests by: + - Requiring client authentication for confidential clients or clients issued credentials. + - Authenticating the client if client authentication is included. + - Verifying that the authorization code is valid. + - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :access_token_request_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert access_token_request_validation_correct == 'true', + 'Authorization Server did not validate access token requests correctly.' + pass access_token_request_validation_note if access_token_request_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb new file mode 100644 index 0000000..c15f636 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class AuthorizationCodeUsageAttestationTest < Inferno::Test + title 'Authorization code is used correctly' + id :udap_security_auth_code_usage + description %( + The Authorization Server SHALL ensure that: + - Authorization codes are not used more than once. + - Authorization codes expire shortly after issuance to mitigate the risk of leaks. + ) + verifies_requirements 'hl7.fhir.us.udap-security@135', + 'hl7.fhir.us.udap-security@137' + + input :authorization_code_usage_correct, + title: "Authorization code is used correctly", + description: %( + I attest that the Authorization Server ensures: + - Authorization codes are not used more than once. + - Authorization codes expire shortly after issuance to mitigate the risk of leaks. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :authorization_code_usage_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert authorization_code_usage_correct == 'true', + 'Authorization Server did not ensure correct usage of authorization codes.' + pass authorization_code_usage_note if authorization_code_usage_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb new file mode 100644 index 0000000..8a92d63 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb @@ -0,0 +1,15 @@ +require_relative 'dynamic_client_registration_group/certification_handling_test' +require_relative 'dynamic_client_registration_group/client_id_modification_test' +require_relative 'dynamic_client_registration_group/dynamic_client_registration_validation_test' + +module UDAPSecurityTestKit + class DynamicClientRegistrationAttestationGroup < Inferno::TestGroup + id :udap_server_v100_dynamic_client_registration_group + title 'Dynamic Client Registration' + + run_as_group + test from: :udap_security_dynamic_client_registration_validation + test from: :udap_security_certification_handling + test from: :udap_security_client_id_modification + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb new file mode 100644 index 0000000..3849bd9 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class CertificationHandlingAttestationTest < Inferno::Test + title 'Authorization Server handles certifications correctly' + id :udap_security_certification_handling + description %( + The Authorization Server SHALL: + - Ignore unsupported or unrecognized certifications. + - Communicate required certifications via the `udap_certifications_required` element in its UDAP metadata. + ) + verifies_requirements 'hl7.fhir.us.udap-security@116', + 'hl7.fhir.us.udap-security@118' + + input :certification_handling_correct, + title: "Authorization Server handles certifications correctly", + description: %( + I attest that the Authorization Server: + - Ignores unsupported or unrecognized certifications. + - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :certification_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert certification_handling_correct == 'true', + 'Authorization Server did not handle certifications correctly.' + pass certification_handling_note if certification_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb new file mode 100644 index 0000000..15dae70 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class ClientIDModificationAttestationTest < Inferno::Test + title 'Authorization Server handles client ID modification correctly' + id :udap_security_client_id_modification + description %( + If the Authorization Server returns a different `client_id` in response to a registration modification request, it SHALL cancel the registration for the previous `client_id`. + ) + verifies_requirements 'hl7.fhir.us.udap-security@121' + + input :client_id_modification_correct, + title: "Authorization Server handles client ID modification correctly", + description: %( + I attest that the Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` in response to a registration modification request. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :client_id_modification_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert client_id_modification_correct == 'true', + 'Authorization Server did not handle client ID modification correctly.' + pass client_id_modification_note if client_id_modification_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb new file mode 100644 index 0000000..024ff4c --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb @@ -0,0 +1,48 @@ +module UDAPSecurityTestKit + class DynamicClientRegistrationValidationAttestationTest < Inferno::Test + title 'Dynamic Client Registration request is validated correctly' + id :udap_security_dynamic_client_registration_validation + description %( + The Authorization Server SHALL validate dynamic client registration requests by: + - Ensuring the `sub` value matches the `iss` value. + - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL. + - Ensuring the software statement is unexpired. + ) + verifies_requirements 'hl7.fhir.us.udap-security@107', + 'hl7.fhir.us.udap-security@108', + 'hl7.fhir.us.udap-security@109' + + input :dynamic_client_registration_validation_correct, + title: "Dynamic Client Registration request is validated correctly", + description: %( + I attest that the Authorization Server validates dynamic client registration requests by: + - Ensuring the `sub` value matches the `iss` value. + - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL. + - Ensuring the software statement is unexpired. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :dynamic_client_registration_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert dynamic_client_registration_validation_correct == 'true', + 'Authorization Server did not validate dynamic client registration requests correctly.' + pass dynamic_client_registration_validation_note if dynamic_client_registration_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb new file mode 100644 index 0000000..0a5a5d0 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb @@ -0,0 +1,19 @@ +require_relative 'error_handling_group/invalid_id_token_test' +require_relative 'error_handling_group/invalid_redirection_uri_test' +require_relative 'error_handling_group/state_mismatch_test' +require_relative 'error_handling_group/unauthenticated_user_test' +require_relative 'error_handling_group/valid_state_error_response_test' + +module UDAPSecurityTestKit + class ErrorHandlingAttestationGroup < Inferno::TestGroup + id :udap_server_v100_error_handling_group + title 'Error Handling' + + run_as_group + test from: :udap_security_invalid_id_token_error + test from: :udap_security_invalid_redirection_uri + test from: :udap_security_state_mismatch_error + test from: :udap_security_unauthenticated_user_error + test from: :udap_security_valid_state_error_response + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb new file mode 100644 index 0000000..f4ae652 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class InvalidIDTokenErrorAttestationTest < Inferno::Test + title 'Invalid ID Token error is handled correctly' + id :udap_security_invalid_id_token_error + description %( + If the IdP does not return an ID Token or validation fails, the Data Holder MAY return an `invalid_idp` error code or attempt alternate authentication. + ) + verifies_requirements 'hl7.fhir.us.udap-security@291' + + input :invalid_id_token_error_handling_correct, + title: "Invalid ID Token error is handled correctly", + description: %( + I attest that the Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP does not return an ID Token or validation fails. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :invalid_id_token_error_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert invalid_id_token_error_handling_correct == 'true', + 'Data Holder does not return an `invalid_idp` error code or attempt alternate authentication when the IdP does not return an ID Token or validation fails.' + pass invalid_id_token_error_handling_note if invalid_id_token_error_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb new file mode 100644 index 0000000..bdcade7 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class InvalidRedirectionURIAttestationTest < Inferno::Test + title 'Invalid redirection URI is handled correctly' + id :udap_security_invalid_redirection_uri + description %( + The Authorization Server MUST NOT redirect the user-agent to an invalid redirection URI if the request fails due to a missing or invalid redirection URI. + ) + verifies_requirements 'hl7.fhir.us.udap-security@242' + + input :invalid_redirection_uri_handling_correct, + title: "Invalid redirection URI is handled correctly", + description: %( + I attest that the Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request fails due to a missing or invalid redirection URI. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :invalid_redirection_uri_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert invalid_redirection_uri_handling_correct == 'true', + 'Authorization Server redirects the user-agent to an invalid redirection URI when the request fails due to a missing or invalid URI.' + pass invalid_redirection_uri_handling_note if invalid_redirection_uri_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb new file mode 100644 index 0000000..d33b412 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class StateMismatchErrorAttestationTest < Inferno::Test + title 'State mismatch error is handled correctly' + id :udap_security_state_mismatch_error + description %( + If the `state` parameter does NOT match, the Resource Holder MUST terminate the workflow and redirect with a `server_error`. + ) + verifies_requirements 'hl7.fhir.us.udap-security@271' + + input :state_mismatch_error_handling_correct, + title: "State mismatch error is handled correctly", + description: %( + I attest that the Resource Holder terminates the workflow and redirects with a `server_error` when the `state` parameter does NOT match. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :state_mismatch_error_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert state_mismatch_error_handling_correct == 'true', + 'Resource Holder does not terminate the workflow or redirect with a `server_error` when the `state` parameter does NOT match.' + pass state_mismatch_error_handling_note if state_mismatch_error_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb new file mode 100644 index 0000000..1684085 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class UnauthenticatedUserErrorAttestationTest < Inferno::Test + title 'Unauthenticated user error is handled correctly' + id :udap_security_unauthenticated_user_error + description %( + If the Data Holder cannot resolve the authenticated user, it SHALL return an `access_denied` error response. + ) + verifies_requirements 'hl7.fhir.us.udap-security@296' + + input :unauthenticated_user_error_handling_correct, + title: "Unauthenticated user error is handled correctly", + description: %( + I attest that the Data Holder returns an `access_denied` error response when it cannot resolve the authenticated user. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :unauthenticated_user_error_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert unauthenticated_user_error_handling_correct == 'true', + 'Data Holder does not return an `access_denied` error response when it cannot resolve the authenticated user.' + pass unauthenticated_user_error_handling_note if unauthenticated_user_error_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb new file mode 100644 index 0000000..9920b48 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class ValidStateErrorResponseAttestationTest < Inferno::Test + title 'Valid state error response is handled correctly' + id :udap_security_valid_state_error_response + description %( + If the `state` value is valid on an error response, the Resource Holder MUST redirect with an `access_denied` error code. + ) + verifies_requirements 'hl7.fhir.us.udap-security@273' + + input :valid_state_error_response_handling_correct, + title: "Valid state error response is handled correctly", + description: %( + I attest that the Resource Holder redirects with an `access_denied` error code when the `state` value is valid on an error response. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :valid_state_error_response_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert valid_state_error_response_handling_correct == 'true', + 'Resource Holder does not redirect with an `access_denied` error code when the `state` value is valid on an error response.' + pass valid_state_error_response_handling_note if valid_state_error_response_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb new file mode 100644 index 0000000..aafe544 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb @@ -0,0 +1,18 @@ +require_relative 'id_token_access_token_validation_group/id_token_validation_test' +require_relative 'id_token_access_token_validation_group/access_token_validation_test' +require_relative 'id_token_access_token_validation_group/token_response_validation_test' + + + +module UDAPSecurityTestKit + class IDTokenAccessTokenValidationAttestationGroup < Inferno::TestGroup + id :udap_server_v100_id_token_access_token_validation_group + title 'ID Token and Access Token Validation' + + run_as_group + test from: :udap_security_id_token_validation + test from: :udap_security_access_token_validation + test from: :udap_security_token_response_validation + + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb new file mode 100644 index 0000000..c75b5e2 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb @@ -0,0 +1,44 @@ +module UDAPSecurityTestKit + class AccessTokenValidationAttestationTest < Inferno::Test + title 'Access Token is validated correctly' + id :udap_security_access_token_validation + description %( + The Data Holder SHALL validate the Access Token as per the Access Token validation rules. + This includes verifying the token's integrity, claims, and expiration. + ) + verifies_requirements 'hl7.fhir.us.udap-security@283', + 'hl7.fhir.us.udap-security@290' + + input :access_token_validation_correct, + title: "Access Token is validated correctly", + description: %( + I attest that the Data Holder validates the Access Token as per the Access Token validation rules, including: + - Verifying the token's integrity. + - Checking claims such as `exp` and other relevant attributes. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :access_token_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert access_token_validation_correct == 'true', + 'Access Token validation is not implemented correctly as per the Access Token validation rules.' + pass access_token_validation_note if access_token_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb new file mode 100644 index 0000000..ed6bb82 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb @@ -0,0 +1,44 @@ +module UDAPSecurityTestKit + class IDTokenValidationAttestationTest < Inferno::Test + title 'ID Token is validated correctly' + id :udap_security_id_token_validation + description %( + The Data Holder SHALL validate the ID Token as per OIDC Core specifications. + This includes verifying the token's signature, claims, issuer, audience, and expiration. + ) + verifies_requirements 'hl7.fhir.us.udap-security@282', + 'hl7.fhir.us.udap-security@289' + + input :id_token_validation_correct, + title: "ID Token is validated correctly", + description: %( + I attest that the Data Holder validates the ID Token as per OIDC Core specifications, including: + - Verifying the token's signature. + - Checking claims such as `iss`, `aud`, and `exp`. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :id_token_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert id_token_validation_correct == 'true', + 'ID Token validation is not implemented correctly as per OIDC Core specifications.' + pass id_token_validation_note if id_token_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb new file mode 100644 index 0000000..a006095 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class TokenResponseValidationAttestationTest < Inferno::Test + title 'Token Response is validated correctly' + id :udap_security_token_response_validation + description %( + The Client MUST validate the Token Response as per RFC 6749 and OIDC Core specifications. + This includes ensuring the presence of required parameters such as `access_token` and `token_type`. + ) + verifies_requirements 'hl7.fhir.us.udap-security@283', + 'hl7.fhir.us.udap-security@284', + 'hl7.fhir.us.udap-security@285' + + input :token_response_validation_correct, + title: "Token Response is validated correctly", + description: %( + I attest that the Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including: + - Ensuring the presence of `access_token` and `token_type` parameters. + - Validating the response structure and data integrity. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :token_response_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert token_response_validation_correct == 'true', + 'Token Response validation is not implemented correctly as per RFC 6749 and OIDC Core specifications.' + pass token_response_validation_note if token_response_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb new file mode 100644 index 0000000..ff12dd6 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb @@ -0,0 +1,17 @@ +require_relative 'identity_provider_interaction_group/idp_authentication_request_test' +require_relative 'identity_provider_interaction_group/idp_dynamic_registration_test' +require_relative 'identity_provider_interaction_group/idp_metadata_validation_test' +require_relative 'identity_provider_interaction_group/idp_token_exchange_test' + +module UDAPSecurityTestKit + class IdentityProviderInteractionAttestationGroup < Inferno::TestGroup + id :udap_server_v100_identity_provider_interaction_group + title 'Interaction with Identity Providers (IdPs)' + + run_as_group + test from: :udap_security_idp_metadata_validation + test from: :udap_security_idp_dynamic_registration + test from: :udap_security_idp_authentication_request + test from: :udap_security_idp_token_exchange + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb new file mode 100644 index 0000000..0fac215 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class IdPAuthenticationRequestAttestationTest < Inferno::Test + title 'Authentication request is made to the IdP’s authorization endpoint' + id :udap_security_idp_authentication_request + description %( + If the IdP is trusted, the Data Holder SHALL make an authentication request to the IdP’s authorization endpoint. + ) + verifies_requirements 'hl7.fhir.us.udap-security@245' + + input :idp_authentication_request_correct, + title: "Authentication request is made to the IdP’s authorization endpoint", + description: %( + I attest that the Data Holder makes an authentication request to the IdP’s authorization endpoint when the IdP is trusted. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_authentication_request_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert idp_authentication_request_correct == 'true', + 'Data Holder does not make an authentication request to the IdP’s authorization endpoint when the IdP is trusted.' + pass idp_authentication_request_note if idp_authentication_request_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb new file mode 100644 index 0000000..c752205 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class IdPDynamicRegistrationAttestationTest < Inferno::Test + title 'IdP dynamic registration is performed if supported' + id :udap_security_idp_dynamic_registration + description %( + If the IdP is trusted and supports UDAP Dynamic Registration, the Data Holder SHALL register as a client. + ) + verifies_requirements 'hl7.fhir.us.udap-security@239' + + input :idp_dynamic_registration_correct, + title: "IdP dynamic registration is performed if supported", + description: %( + I attest that the Data Holder registers as a client with the IdP if: + - The IdP is trusted. + - The IdP supports UDAP Dynamic Registration. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_dynamic_registration_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert idp_dynamic_registration_correct == 'true', + 'Data Holder does not register as a client with the IdP when it is trusted and supports UDAP Dynamic Registration.' + pass idp_dynamic_registration_note if idp_dynamic_registration_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb new file mode 100644 index 0000000..e368723 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class IdPMetadataValidationAttestationTest < Inferno::Test + title 'IdP metadata is validated to determine trust' + id :udap_security_idp_metadata_validation + description %( + The Data Holder SHALL validate the IdP’s UDAP metadata to determine trustworthiness before interacting with the IdP. + ) + verifies_requirements 'hl7.fhir.us.udap-security@238' + + input :idp_metadata_validation_correct, + title: "IdP metadata is validated to determine trust", + description: %( + I attest that the Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including: + - Verifying the authenticity of the metadata. + - Ensuring the metadata meets UDAP specifications. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_metadata_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert idp_metadata_validation_correct == 'true', + 'Data Holder does not validate the IdP’s UDAP metadata to determine trustworthiness.' + pass idp_metadata_validation_note if idp_metadata_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb new file mode 100644 index 0000000..f6a5ace --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class IdPTokenExchangeAttestationTest < Inferno::Test + title 'Code is exchanged for tokens after successful authentication response' + id :udap_security_idp_token_exchange + description %( + If the IdP returns a successful authentication response, the Data Holder SHALL exchange the authorization code for tokens. + ) + verifies_requirements 'hl7.fhir.us.udap-security@279' + + input :idp_token_exchange_correct, + title: "Code is exchanged for tokens after successful authentication response", + description: %( + I attest that the Data Holder exchanges the authorization code for tokens after receiving a successful authentication response from the IdP. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_token_exchange_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert idp_token_exchange_correct == 'true', + 'Data Holder does not exchange the authorization code for tokens after receiving a successful authentication response from the IdP.' + pass idp_token_exchange_note if idp_token_exchange_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb new file mode 100644 index 0000000..83cfd38 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb @@ -0,0 +1,19 @@ +require_relative 'metadata_server_capabilities_group/udap_authorization_extensions_required_test' +require_relative 'metadata_server_capabilities_group/udap_community_parameter_support_test' +require_relative 'metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test' +require_relative 'metadata_server_capabilities_group/udap_metadata_representation_test' +require_relative 'metadata_server_capabilities_group/udap_profiles_supported_test' + +module UDAPSecurityTestKit + class MetadataServerCapabilitiesAttestationGroup < Inferno::TestGroup + id :udap_server_v100_metadata_server_capabilities_group + title 'UDAP Metadata and Server Capabilities' + + run_as_group + test from: :udap_security_authorization_extensions_required + test from: :udap_security_community_parameter_support + test from: :udap_security_metadata_error_handling + test from: :udap_security_metadata_representation + test from: :udap_security_profiles_supported + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb new file mode 100644 index 0000000..4f7eb24 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test + title 'UDAP Metadata includes required authorization extensions' + id :udap_security_authorization_extensions_required + description %( + If the Authorization Server requires the B2B Authorization Extension Object, the `udap_authorization_extensions_required` list SHALL include `["hl7-b2b"]`. + ) + verifies_requirements 'hl7.fhir.us.udap-security@32' + + input :udap_authorization_extensions_required_correct, + title: "UDAP Metadata includes required authorization extensions", + description: %( + I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :udap_authorization_extensions_required_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert udap_authorization_extensions_required_correct == 'true', + 'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]` when required.' + pass udap_authorization_extensions_required_note if udap_authorization_extensions_required_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb new file mode 100644 index 0000000..27aa273 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class CommunityParameterSupportAttestationTest < Inferno::Test + title 'Server supports community parameter correctly' + id :udap_security_community_parameter_support + description %( + If a server supports the `community` parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community and use that certificate when generating the signed JWT returned for the `signed_metadata` element. + ) + verifies_requirements 'hl7.fhir.us.udap-security@62' + + input :community_parameter_support_correct, + title: "Server supports community parameter correctly", + description: %( + I attest that the server supports the `community` parameter correctly by selecting a certificate intended for use within the identified trust community when generating the signed JWT for the `signed_metadata` element. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :community_parameter_support_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert community_parameter_support_correct == 'true', + 'Server does not correctly support the `community` parameter when generating the signed JWT for the `signed_metadata` element.' + pass community_parameter_support_note if community_parameter_support_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb new file mode 100644 index 0000000..7e82f91 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test + title 'UDAP Metadata endpoint correctly handles unsupported workflows' + id :udap_security_metadata_error_handling + description %( + If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request. + ) + verifies_requirements 'hl7.fhir.us.udap-security@19' + + input :udap_metadata_error_handling_correct, + title: "UDAP Metadata endpoint correctly handles unsupported workflows", + description: %( + I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response when no UDAP workflows are supported. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :udap_metadata_error_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert udap_metadata_error_handling_correct == 'true', + 'Server metadata endpoint did not correctly handle unsupported workflows by returning a `404 Not Found` response.' + pass udap_metadata_error_handling_note if udap_metadata_error_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb new file mode 100644 index 0000000..d58ce34 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class UDAPMetadataRepresentationAttestationTest < Inferno::Test + title 'UDAP Metadata correctly represents server capabilities' + id :udap_security_metadata_representation + description %( + The server's UDAP metadata endpoint SHALL correctly represent the server’s capabilities with respect to the UDAP workflows described in the guide. + ) + verifies_requirements 'hl7.fhir.us.udap-security@18' + + input :udap_metadata_representation_correct, + title: "UDAP Metadata correctly represents server capabilities", + description: %( + I attest that the server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP workflows described in the guide. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :udap_metadata_representation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert udap_metadata_representation_correct == 'true', + 'Server metadata does not correctly represent the server’s capabilities with respect to UDAP workflows.' + pass udap_metadata_representation_note if udap_metadata_representation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb new file mode 100644 index 0000000..1a4b7a8 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb @@ -0,0 +1,40 @@ +module UDAPSecurityTestKit + class UDAPProfilesSupportedAttestationTest < Inferno::Test + title 'UDAP Metadata includes supported profiles' + id :udap_security_profiles_supported + description %( + If the server supports the user authentication workflow described in Section 6, the `udap_profiles_supported` element SHALL include `udap_to` for UDAP Tiered OAuth for User Authentication. + ) + verifies_requirements 'hl7.fhir.us.udap-security@27' + + input :udap_profiles_supported_correct, + title: "UDAP Metadata includes supported profiles", + description: %( + I attest that the server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the server supports the user authentication workflow described in Section 6. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :udap_profiles_supported_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert udap_profiles_supported_correct == 'true', + 'Server metadata does not include the `udap_profiles_supported` element with `udap_to` for UDAP Tiered OAuth for User Authentication.' + pass udap_profiles_supported_note if udap_profiles_supported_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb new file mode 100644 index 0000000..89dcbc8 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb @@ -0,0 +1,13 @@ +require_relative 'openid_connect_authentication_requests_group/authentication_request_construction_test' +require_relative 'openid_connect_authentication_requests_group/authentication_request_validation_test' + +module UDAPSecurityTestKit + class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup + id :udap_server_v100_openid_connect_authentication_requests_group + title 'OpenID Connect Authentication Requests' + + run_as_group + test from: :oidc_auth_request_construction + test from: :udap_security_access_token_request_validation + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb new file mode 100644 index 0000000..c8a04f5 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb @@ -0,0 +1,53 @@ +module UDAPSecurityTestKit + class AuthenticationRequestConstructionAttestationTest < Inferno::Test + title 'Authentication Request Construction Compliance' + id :oidc_auth_request_construction + description %( + The Authorization Server SHALL ensure that authentication requests comply with OpenID Connect requirements, including: + - Support for HTTP GET and POST methods at the Authorization Endpoint. + - Inclusion of the `openid` scope value. + - Presence and validity of required parameters such as `response_type`, `client_id`, and `redirect_uri`. + - Exact matching of the `redirect_uri` with pre-registered values. + ) + verifies_requirements 'hl7.fhir.us.udap-security@246', + 'hl7.fhir.us.udap-security@247', + 'hl7.fhir.us.udap-security@248', + 'hl7.fhir.us.udap-security@249', + 'hl7.fhir.us.udap-security@250', + 'hl7.fhir.us.udap-security@251' + + input :auth_request_construction_correct, + title: "Authentication Request Construction Compliance", + description: %( + I attest that the Authorization Server ensures: + - HTTP GET and POST methods are supported at the Authorization Endpoint. + - The `openid` scope value is included in requests. + - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. + - The `redirect_uri` exactly matches pre-registered values. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :auth_request_construction_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert auth_request_construction_correct == 'true', + 'Authentication Request Construction does not comply with OpenID Connect requirements.' + pass auth_request_construction_note if auth_request_construction_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb new file mode 100644 index 0000000..f053301 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb @@ -0,0 +1,60 @@ +module UDAPSecurityTestKit + class AuthenticationRequestValidationAttestationTest < Inferno::Test + title 'Authentication Request Validation Compliance' + id :oidc_auth_request_validation + description %( + The Authorization Server SHALL validate authentication requests according to OpenID Connect requirements, including: + - Validation of all OAuth 2.0 parameters. + - Verification that the `scope` parameter contains the `openid` value. + - Verification of the presence and conformity of required parameters. + - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. + - Implementation of CSRF and Clickjacking protections. + ) + verifies_requirements 'hl7.fhir.us.udap-security@258', + 'hl7.fhir.us.udap-security@259', + 'hl7.fhir.us.udap-security@260', + 'hl7.fhir.us.udap-security@261', + 'hl7.fhir.us.udap-security@262', + 'hl7.fhir.us.udap-security@263', + 'hl7.fhir.us.udap-security@264', + 'hl7.fhir.us.udap-security@265', + 'hl7.fhir.us.udap-security@266', + 'hl7.fhir.us.udap-security@267', + 'hl7.fhir.us.udap-security@269' + + input :auth_request_validation_correct, + title: "Authentication Request Validation Compliance", + description: %( + I attest that the Authorization Server ensures: + - Validation of all OAuth 2.0 parameters. + - Verification that the `scope` parameter contains the `openid` value. + - Required parameters are present and conform to the specification. + - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. + - Implementation of CSRF and Clickjacking protections. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :auth_request_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert auth_request_validation_correct == 'true', + 'Authentication Request Validation does not comply with OpenID Connect requirements.' + pass auth_request_validation_note if auth_request_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb new file mode 100644 index 0000000..91dda3c --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb @@ -0,0 +1,13 @@ +require_relative 'security_measures_group/csrf_protection_test' +require_relative 'security_measures_group/unauthenticated_client_security_test' + +module UDAPSecurityTestKit + class SecurityMeasuresAttestationGroup < Inferno::TestGroup + id :udap_server_v100_security_measures_group + title 'Security Measures' + + run_as_group + test from: :udap_security_csrf_protection + test from: :udap_security_unauthenticated_clients + end +end \ No newline at end of file diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb new file mode 100644 index 0000000..b7e2492 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class CSRFProtectionAttestationTest < Inferno::Test + title 'CSRF protection is implemented for the authorization endpoint' + id :udap_security_csrf_protection + description %( + The Authorization Server MUST implement CSRF protection for its authorization endpoint to prevent unauthorized or malicious requests. + ) + verifies_requirements 'hl7.fhir.us.udap-security@278' + + input :csrf_protection_implemented, + title: "CSRF protection is implemented for the authorization endpoint", + description: %( + I attest that the Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: + - Use of anti-CSRF tokens. + - Validation of `state` parameter to prevent cross-site request forgery. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :csrf_protection_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert csrf_protection_implemented == 'true', + 'Authorization Server does not implement CSRF protection for its authorization endpoint.' + pass csrf_protection_note if csrf_protection_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb new file mode 100644 index 0000000..8b7143c --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class UnauthenticatedClientSecurityAttestationTest < Inferno::Test + title 'Security measures are considered for unauthenticated clients' + id :udap_security_unauthenticated_clients + description %( + The Authorization Server MUST consider security implications of interacting with unauthenticated clients to prevent unauthorized access or misuse. + ) + verifies_requirements 'hl7.fhir.us.udap-security@288' + + input :unauthenticated_client_security_measures, + title: "Security measures are considered for unauthenticated clients", + description: %( + I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: + - Restricting access to sensitive endpoints. + - Implementing rate limiting or other protective measures. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :unauthenticated_client_security_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert unauthenticated_client_security_measures == 'true', + 'Authorization Server does not consider security implications when interacting with unauthenticated clients.' + pass unauthenticated_client_security_note if unauthenticated_client_security_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb new file mode 100644 index 0000000..3799eee --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb @@ -0,0 +1,29 @@ +require_relative 'server/metadata_server_capabilities_group' +require_relative 'server/dynamic_client_registration_group' +require_relative 'server/authorization_code_token_requests_group' +require_relative 'server/openid_connect_authentication_requests_group' +require_relative 'server/id_token_access_token_validation_group' +require_relative 'server/error_handling_group' +require_relative 'server/security_measures_group' +require_relative 'server/identity_provider_interaction_group' + + +module UDAPSecurityTestKit + class ServerAttestationGroup < Inferno::TestGroup + id :udap_server_v100_visual_inspection_and_attestation + title 'Visual Inspection and Attestation' + + description <<~DESCRIPTION + Perform visual inspections or attestations to ensure that the Server is conformant to the UDAP IG requirements. + DESCRIPTION + + group from: :udap_server_v100_metadata_server_capabilities_group + group from: :udap_server_v100_dynamic_client_registration_group + group from: :udap_server_v100_authorization_code_token_requests_group + group from: :udap_server_v100_openid_connect_authentication_requests_group + group from: :udap_server_v100_id_token_access_token_validation_group + group from: :udap_server_v100_error_handling_group + group from: :udap_server_v100_security_measures_group + group from: :udap_server_v100_identity_provider_interaction_group + end +end \ No newline at end of file From 7eacab9ef06eb313b4efe8b526815fe18dfbeda5 Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Wed, 9 Jul 2025 21:02:28 -0400 Subject: [PATCH 02/13] Fix requirements --- .../client/authorization_code_usage_test.rb | 4 ++-- ...b2b_authorization_extension_object_test.rb | 16 +++++++------- .../client_security_csrf_protection_test.rb | 6 ++--- .../idp_supports_required_scopes_test.rb | 2 +- .../client/jti_reuse_prevention_test.rb | 2 +- .../client/metadata_interpretation_test.rb | 4 ++-- .../preferred_identity_provider_test.rb | 4 ++-- .../client/private_key_authentication_test.rb | 4 ++-- ...opes_identity_provider_interaction_test.rb | 6 ++--- .../software_statement_registration_test.rb | 4 ++-- .../token_request_authentication_test.rb | 2 +- .../trust_community_query_parameters_test.rb | 2 +- .../client/validation_confidentiality_test.rb | 4 ++-- .../access_token_lifetime_test.rb | 2 +- .../access_token_request_validation_test.rb | 8 +++---- .../authorization_code_usage_test.rb | 4 ++-- .../certification_handling_test.rb | 4 ++-- .../client_id_modification_test.rb | 2 +- ...mic_client_registration_validation_test.rb | 6 ++--- .../invalid_id_token_test.rb | 2 +- .../invalid_redirection_uri_test.rb | 2 +- .../state_mismatch_test.rb | 2 +- .../unauthenticated_user_test.rb | 2 +- .../valid_state_error_response_test.rb | 2 +- .../access_token_validation_test.rb | 4 ++-- .../id_token_validation_test.rb | 4 ++-- .../token_response_validation_test.rb | 6 ++--- .../idp_authentication_request_test.rb | 2 +- .../idp_dynamic_registration_test.rb | 2 +- .../idp_metadata_validation_test.rb | 2 +- .../idp_token_exchange_test.rb | 2 +- ..._authorization_extensions_required_test.rb | 2 +- .../udap_community_parameter_support_test.rb | 2 +- ...p_metadata_endpoint_error_handling_test.rb | 2 +- .../udap_metadata_representation_test.rb | 2 +- .../udap_profiles_supported_test.rb | 2 +- ...uthentication_request_construction_test.rb | 12 +++++----- .../authentication_request_validation_test.rb | 22 +++++++++---------- .../csrf_protection_test.rb | 2 +- .../unauthenticated_client_security_test.rb | 2 +- 40 files changed, 83 insertions(+), 83 deletions(-) diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb index bfea1c8..d02f964 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb @@ -7,8 +7,8 @@ class AuthorizationCodeUsageAttestationTest < Inferno::Test - Ensuring the authorization code is not used more than once. - Requesting an authorization code as per Section 4.1.1 of RFC 6749. ) - verifies_requirements 'hl7.fhir.us.udap-security@136', - 'hl7.fhir.us.udap-security@188' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@136', + 'hl7.fhir.us.udap-security_1.0.0@188' input :authorization_code_usage_correctly, title: "Authorization code is used correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb index 74fdfac..6263d0d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -10,14 +10,14 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test - `subject_id` SHALL be omitted for non-human requestors or requestors without an NPI. - `consent_reference` SHALL include resolvable URLs and SHALL be omitted if `consent_policy` is not present. ) - verifies_requirements 'hl7.fhir.us.udap-security@203', - 'hl7.fhir.us.udap-security@204', - 'hl7.fhir.us.udap-security@205', - 'hl7.fhir.us.udap-security@206', - 'hl7.fhir.us.udap-security@207', - 'hl7.fhir.us.udap-security@219', - 'hl7.fhir.us.udap-security@220', - 'hl7.fhir.us.udap-security@221' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@203', + 'hl7.fhir.us.udap-security_1.0.0@204', + 'hl7.fhir.us.udap-security_1.0.0@205', + 'hl7.fhir.us.udap-security_1.0.0@206', + 'hl7.fhir.us.udap-security_1.0.0@207', + 'hl7.fhir.us.udap-security_1.0.0@219', + 'hl7.fhir.us.udap-security_1.0.0@220', + 'hl7.fhir.us.udap-security_1.0.0@221' input :subject_name_compliance, title: "Client application includes `subject_name` if known", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb index 108fe80..9126bc7 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb @@ -8,9 +8,9 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test - Use a binding value for CSRF protection that contains a non-guessable value. - Ensure the user-agent's authenticated state is accessible only to the client and user-agent, protected by the same-origin policy. ) - verifies_requirements 'hl7.fhir.us.udap-security@275', - 'hl7.fhir.us.udap-security@276', - 'hl7.fhir.us.udap-security@277' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@275', + 'hl7.fhir.us.udap-security_1.0.0@276', + 'hl7.fhir.us.udap-security_1.0.0@277' input :csrf_protection_implementation, title: "Client application implements CSRF protection for its redirection URI", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb index fcdcaf0..eba71e5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb @@ -5,7 +5,7 @@ class IdPSupportsRequiredScopesAttestationTest < Inferno::Test description %( Identity Providers (IdPs) SHALL include `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. ) - verifies_requirements 'hl7.fhir.us.udap-security@235' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235' input :idp_supports_required_scopes, title: "IdP supports required scopes", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb index 3abb2fa..a841ed5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb @@ -6,7 +6,7 @@ class JTIReusePreventionAttestationTest < Inferno::Test Client applications SHALL prevent reuse of JTI values in authentication tokens by: - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. ) - verifies_requirements 'hl7.fhir.us.udap-security@159' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159' input :jti_reuse_prevention_correctly, title: "Client prevents reuse of JTI values in authentication tokens", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb index d9e433d..cdf2b65 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb @@ -7,8 +7,8 @@ class MetadataInterpretationAttestationTest < Inferno::Test - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. ) - verifies_requirements 'hl7.fhir.us.udap-security@20', - 'hl7.fhir.us.udap-security@21' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@20', + 'hl7.fhir.us.udap-security_1.0.0@21' input :interprets_metadata_correctly, title: "Interprets metadata correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb index f430118..c6e36b0 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb @@ -7,8 +7,8 @@ class PreferredIdentityProviderAttestationTest < Inferno::Test - Adding `udap` to the list of scopes provided in the `scope` query parameter. - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. ) - verifies_requirements 'hl7.fhir.us.udap-security@236', - 'hl7.fhir.us.udap-security@237' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236', + 'hl7.fhir.us.udap-security_1.0.0@237' input :indicates_preferred_idp, title: "Client indicates preferred Identity Provider", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb index 808e7ee..735c95f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb @@ -6,8 +6,8 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test Client applications SHALL use private key authentication correctly by: - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. ) - verifies_requirements 'hl7.fhir.us.udap-security@164', - 'hl7.fhir.us.udap-security@224' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@164', + 'hl7.fhir.us.udap-security_1.0.0@224' input :private_key_authentication_correctly, title: "Client uses private key authentication correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb index ed22f68..1af1ca7 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb @@ -8,9 +8,9 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test - The `scope` query parameter of the authentication request SHALL contain at least the values `openid` and `udap`. - The Identity Provider SHALL authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications. ) - verifies_requirements 'hl7.fhir.us.udap-security@236', - 'hl7.fhir.us.udap-security@256', - 'hl7.fhir.us.udap-security@257' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236', + 'hl7.fhir.us.udap-security_1.0.0@256', + 'hl7.fhir.us.udap-security_1.0.0@257' input :scope_includes_udap, title: "Client application includes `udap` in the `scope` query parameter", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb index 89bd086..61dc7ef 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb @@ -7,8 +7,8 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test - The `jti` claim in the JWT SHALL NOT be reused before the `exp` claim has passed. - A registration response with an empty `grant_types` array SHALL be interpreted as a cancellation of the `client_id` registration by the Authorization Server. ) - verifies_requirements 'hl7.fhir.us.udap-security@82', - 'hl7.fhir.us.udap-security@123' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@82', + 'hl7.fhir.us.udap-security_1.0.0@123' input :jti_reuse_compliance, title: "Client application does not reuse the `jti` claim before the `exp` claim has passed", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb index b3eff09..f94a2f9 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -7,7 +7,7 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. ) - verifies_requirements 'hl7.fhir.us.udap-security@144', + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144', 'openid.connect.core@280' input :token_request_authentication_correctly, diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb index 3cfe5cf..ea6ea90 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb @@ -6,7 +6,7 @@ class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test Client applications SHALL comply with the requirements for Trust Community and Query Parameters: - When the client adds the `community` query parameter, the value SHALL be a URI as determined by the trust community. ) - verifies_requirements 'hl7.fhir.us.udap-security@61' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@61' input :community_query_parameter_compliance, title: "Client application ensures `community` query parameter value is a valid URI", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb index 204c84d..9afc6a5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb @@ -7,8 +7,8 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test - Validate the `state` parameter returned by the Resource Holder in response to an authorization request. - Ensure confidentiality of client passwords and other client credentials. ) - verifies_requirements 'hl7.fhir.us.udap-security@274', - 'hl7.fhir.us.udap-security@286' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@274', + 'hl7.fhir.us.udap-security_1.0.0@286' input :state_parameter_validation, title: "Client application validates the `state` parameter returned by the Resource Holder", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb index 717d1aa..cd6a1e8 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb @@ -5,7 +5,7 @@ class AccessTokenLifetimeAttestationTest < Inferno::Test description %( The Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes for all successful token requests. ) - verifies_requirements 'hl7.fhir.us.udap-security@184' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@184' input :access_token_lifetime_correct, title: "Access tokens have a lifetime of no longer than 60 minutes", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb index 5982369..3755d19 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb @@ -9,10 +9,10 @@ class AccessTokenRequestValidationAttestationTest < Inferno::Test - Verifying that the authorization code is valid. - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request. ) - verifies_requirements 'hl7.fhir.us.udap-security@146', - 'hl7.fhir.us.udap-security@147', - 'hl7.fhir.us.udap-security@149', - 'hl7.fhir.us.udap-security@150' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@146', + 'hl7.fhir.us.udap-security_1.0.0@147', + 'hl7.fhir.us.udap-security_1.0.0@149', + 'hl7.fhir.us.udap-security_1.0.0@150' input :access_token_request_validation_correct, title: "Access token request is validated correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb index c15f636..26e5ba2 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb @@ -7,8 +7,8 @@ class AuthorizationCodeUsageAttestationTest < Inferno::Test - Authorization codes are not used more than once. - Authorization codes expire shortly after issuance to mitigate the risk of leaks. ) - verifies_requirements 'hl7.fhir.us.udap-security@135', - 'hl7.fhir.us.udap-security@137' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@135', + 'hl7.fhir.us.udap-security_1.0.0@137' input :authorization_code_usage_correct, title: "Authorization code is used correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb index 3849bd9..d068e82 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb @@ -7,8 +7,8 @@ class CertificationHandlingAttestationTest < Inferno::Test - Ignore unsupported or unrecognized certifications. - Communicate required certifications via the `udap_certifications_required` element in its UDAP metadata. ) - verifies_requirements 'hl7.fhir.us.udap-security@116', - 'hl7.fhir.us.udap-security@118' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@116', + 'hl7.fhir.us.udap-security_1.0.0@118' input :certification_handling_correct, title: "Authorization Server handles certifications correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb index 15dae70..7a99d57 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb @@ -5,7 +5,7 @@ class ClientIDModificationAttestationTest < Inferno::Test description %( If the Authorization Server returns a different `client_id` in response to a registration modification request, it SHALL cancel the registration for the previous `client_id`. ) - verifies_requirements 'hl7.fhir.us.udap-security@121' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@121' input :client_id_modification_correct, title: "Authorization Server handles client ID modification correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb index 024ff4c..a6eb540 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb @@ -8,9 +8,9 @@ class DynamicClientRegistrationValidationAttestationTest < Inferno::Test - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL. - Ensuring the software statement is unexpired. ) - verifies_requirements 'hl7.fhir.us.udap-security@107', - 'hl7.fhir.us.udap-security@108', - 'hl7.fhir.us.udap-security@109' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@107', + 'hl7.fhir.us.udap-security_1.0.0@108', + 'hl7.fhir.us.udap-security_1.0.0@109' input :dynamic_client_registration_validation_correct, title: "Dynamic Client Registration request is validated correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb index f4ae652..9852abc 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb @@ -5,7 +5,7 @@ class InvalidIDTokenErrorAttestationTest < Inferno::Test description %( If the IdP does not return an ID Token or validation fails, the Data Holder MAY return an `invalid_idp` error code or attempt alternate authentication. ) - verifies_requirements 'hl7.fhir.us.udap-security@291' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@291' input :invalid_id_token_error_handling_correct, title: "Invalid ID Token error is handled correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb index bdcade7..f2cd8a9 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb @@ -5,7 +5,7 @@ class InvalidRedirectionURIAttestationTest < Inferno::Test description %( The Authorization Server MUST NOT redirect the user-agent to an invalid redirection URI if the request fails due to a missing or invalid redirection URI. ) - verifies_requirements 'hl7.fhir.us.udap-security@242' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@242' input :invalid_redirection_uri_handling_correct, title: "Invalid redirection URI is handled correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb index d33b412..ab52fde 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb @@ -5,7 +5,7 @@ class StateMismatchErrorAttestationTest < Inferno::Test description %( If the `state` parameter does NOT match, the Resource Holder MUST terminate the workflow and redirect with a `server_error`. ) - verifies_requirements 'hl7.fhir.us.udap-security@271' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@271' input :state_mismatch_error_handling_correct, title: "State mismatch error is handled correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb index 1684085..48251e9 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb @@ -5,7 +5,7 @@ class UnauthenticatedUserErrorAttestationTest < Inferno::Test description %( If the Data Holder cannot resolve the authenticated user, it SHALL return an `access_denied` error response. ) - verifies_requirements 'hl7.fhir.us.udap-security@296' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@296' input :unauthenticated_user_error_handling_correct, title: "Unauthenticated user error is handled correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb index 9920b48..98969a4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb @@ -5,7 +5,7 @@ class ValidStateErrorResponseAttestationTest < Inferno::Test description %( If the `state` value is valid on an error response, the Resource Holder MUST redirect with an `access_denied` error code. ) - verifies_requirements 'hl7.fhir.us.udap-security@273' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@273' input :valid_state_error_response_handling_correct, title: "Valid state error response is handled correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb index c75b5e2..76e06d1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb @@ -6,8 +6,8 @@ class AccessTokenValidationAttestationTest < Inferno::Test The Data Holder SHALL validate the Access Token as per the Access Token validation rules. This includes verifying the token's integrity, claims, and expiration. ) - verifies_requirements 'hl7.fhir.us.udap-security@283', - 'hl7.fhir.us.udap-security@290' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283', + 'hl7.fhir.us.udap-security_1.0.0@290' input :access_token_validation_correct, title: "Access Token is validated correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb index ed6bb82..9c453f1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb @@ -6,8 +6,8 @@ class IDTokenValidationAttestationTest < Inferno::Test The Data Holder SHALL validate the ID Token as per OIDC Core specifications. This includes verifying the token's signature, claims, issuer, audience, and expiration. ) - verifies_requirements 'hl7.fhir.us.udap-security@282', - 'hl7.fhir.us.udap-security@289' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@282', + 'hl7.fhir.us.udap-security_1.0.0@289' input :id_token_validation_correct, title: "ID Token is validated correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb index a006095..3698a90 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb @@ -6,9 +6,9 @@ class TokenResponseValidationAttestationTest < Inferno::Test The Client MUST validate the Token Response as per RFC 6749 and OIDC Core specifications. This includes ensuring the presence of required parameters such as `access_token` and `token_type`. ) - verifies_requirements 'hl7.fhir.us.udap-security@283', - 'hl7.fhir.us.udap-security@284', - 'hl7.fhir.us.udap-security@285' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283', + 'hl7.fhir.us.udap-security_1.0.0@284', + 'hl7.fhir.us.udap-security_1.0.0@285' input :token_response_validation_correct, title: "Token Response is validated correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb index 0fac215..7242355 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb @@ -5,7 +5,7 @@ class IdPAuthenticationRequestAttestationTest < Inferno::Test description %( If the IdP is trusted, the Data Holder SHALL make an authentication request to the IdP’s authorization endpoint. ) - verifies_requirements 'hl7.fhir.us.udap-security@245' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@245' input :idp_authentication_request_correct, title: "Authentication request is made to the IdP’s authorization endpoint", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb index c752205..577ed2b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb @@ -5,7 +5,7 @@ class IdPDynamicRegistrationAttestationTest < Inferno::Test description %( If the IdP is trusted and supports UDAP Dynamic Registration, the Data Holder SHALL register as a client. ) - verifies_requirements 'hl7.fhir.us.udap-security@239' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@239' input :idp_dynamic_registration_correct, title: "IdP dynamic registration is performed if supported", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb index e368723..0de66cf 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb @@ -5,7 +5,7 @@ class IdPMetadataValidationAttestationTest < Inferno::Test description %( The Data Holder SHALL validate the IdP’s UDAP metadata to determine trustworthiness before interacting with the IdP. ) - verifies_requirements 'hl7.fhir.us.udap-security@238' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@238' input :idp_metadata_validation_correct, title: "IdP metadata is validated to determine trust", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb index f6a5ace..68feb30 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb @@ -5,7 +5,7 @@ class IdPTokenExchangeAttestationTest < Inferno::Test description %( If the IdP returns a successful authentication response, the Data Holder SHALL exchange the authorization code for tokens. ) - verifies_requirements 'hl7.fhir.us.udap-security@279' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@279' input :idp_token_exchange_correct, title: "Code is exchanged for tokens after successful authentication response", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb index 4f7eb24..c6839fb 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb @@ -5,7 +5,7 @@ class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test description %( If the Authorization Server requires the B2B Authorization Extension Object, the `udap_authorization_extensions_required` list SHALL include `["hl7-b2b"]`. ) - verifies_requirements 'hl7.fhir.us.udap-security@32' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@32' input :udap_authorization_extensions_required_correct, title: "UDAP Metadata includes required authorization extensions", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb index 27aa273..cad0254 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb @@ -5,7 +5,7 @@ class CommunityParameterSupportAttestationTest < Inferno::Test description %( If a server supports the `community` parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community and use that certificate when generating the signed JWT returned for the `signed_metadata` element. ) - verifies_requirements 'hl7.fhir.us.udap-security@62' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@62' input :community_parameter_support_correct, title: "Server supports community parameter correctly", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb index 7e82f91..3a74dbb 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb @@ -5,7 +5,7 @@ class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test description %( If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request. ) - verifies_requirements 'hl7.fhir.us.udap-security@19' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@19' input :udap_metadata_error_handling_correct, title: "UDAP Metadata endpoint correctly handles unsupported workflows", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb index d58ce34..432ab6d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb @@ -5,7 +5,7 @@ class UDAPMetadataRepresentationAttestationTest < Inferno::Test description %( The server's UDAP metadata endpoint SHALL correctly represent the server’s capabilities with respect to the UDAP workflows described in the guide. ) - verifies_requirements 'hl7.fhir.us.udap-security@18' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@18' input :udap_metadata_representation_correct, title: "UDAP Metadata correctly represents server capabilities", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb index 1a4b7a8..d257b16 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb @@ -5,7 +5,7 @@ class UDAPProfilesSupportedAttestationTest < Inferno::Test description %( If the server supports the user authentication workflow described in Section 6, the `udap_profiles_supported` element SHALL include `udap_to` for UDAP Tiered OAuth for User Authentication. ) - verifies_requirements 'hl7.fhir.us.udap-security@27' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@27' input :udap_profiles_supported_correct, title: "UDAP Metadata includes supported profiles", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb index c8a04f5..62396b7 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb @@ -9,12 +9,12 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test - Presence and validity of required parameters such as `response_type`, `client_id`, and `redirect_uri`. - Exact matching of the `redirect_uri` with pre-registered values. ) - verifies_requirements 'hl7.fhir.us.udap-security@246', - 'hl7.fhir.us.udap-security@247', - 'hl7.fhir.us.udap-security@248', - 'hl7.fhir.us.udap-security@249', - 'hl7.fhir.us.udap-security@250', - 'hl7.fhir.us.udap-security@251' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@246', + 'hl7.fhir.us.udap-security_1.0.0@247', + 'hl7.fhir.us.udap-security_1.0.0@248', + 'hl7.fhir.us.udap-security_1.0.0@249', + 'hl7.fhir.us.udap-security_1.0.0@250', + 'hl7.fhir.us.udap-security_1.0.0@251' input :auth_request_construction_correct, title: "Authentication Request Construction Compliance", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb index f053301..1a0a6c3 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb @@ -10,17 +10,17 @@ class AuthenticationRequestValidationAttestationTest < Inferno::Test - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. - Implementation of CSRF and Clickjacking protections. ) - verifies_requirements 'hl7.fhir.us.udap-security@258', - 'hl7.fhir.us.udap-security@259', - 'hl7.fhir.us.udap-security@260', - 'hl7.fhir.us.udap-security@261', - 'hl7.fhir.us.udap-security@262', - 'hl7.fhir.us.udap-security@263', - 'hl7.fhir.us.udap-security@264', - 'hl7.fhir.us.udap-security@265', - 'hl7.fhir.us.udap-security@266', - 'hl7.fhir.us.udap-security@267', - 'hl7.fhir.us.udap-security@269' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@258', + 'hl7.fhir.us.udap-security_1.0.0@259', + 'hl7.fhir.us.udap-security_1.0.0@260', + 'hl7.fhir.us.udap-security_1.0.0@261', + 'hl7.fhir.us.udap-security_1.0.0@262', + 'hl7.fhir.us.udap-security_1.0.0@263', + 'hl7.fhir.us.udap-security_1.0.0@264', + 'hl7.fhir.us.udap-security_1.0.0@265', + 'hl7.fhir.us.udap-security_1.0.0@266', + 'hl7.fhir.us.udap-security_1.0.0@267', + 'hl7.fhir.us.udap-security_1.0.0@269' input :auth_request_validation_correct, title: "Authentication Request Validation Compliance", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb index b7e2492..6196a68 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -5,7 +5,7 @@ class CSRFProtectionAttestationTest < Inferno::Test description %( The Authorization Server MUST implement CSRF protection for its authorization endpoint to prevent unauthorized or malicious requests. ) - verifies_requirements 'hl7.fhir.us.udap-security@278' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278' input :csrf_protection_implemented, title: "CSRF protection is implemented for the authorization endpoint", diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb index 8b7143c..10f8a83 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb @@ -5,7 +5,7 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test description %( The Authorization Server MUST consider security implications of interacting with unauthenticated clients to prevent unauthorized access or misuse. ) - verifies_requirements 'hl7.fhir.us.udap-security@288' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@288' input :unauthenticated_client_security_measures, title: "Security measures are considered for unauthenticated clients", From bc71e8b922d3220c84afbbc31915907633636a45 Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Wed, 9 Jul 2025 21:03:53 -0400 Subject: [PATCH 03/13] Fix duplicate test name --- ..._usage_test.rb => client_authorization_code_usage_test.rb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename lib/udap_security_test_kit/visual_inspection_and_attestation/client/{authorization_code_usage_test.rb => client_authorization_code_usage_test.rb} (92%) diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb similarity index 92% rename from lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb rename to lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb index d02f964..b558f76 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb @@ -1,6 +1,6 @@ module UDAPSecurityTestKit - class AuthorizationCodeUsageAttestationTest < Inferno::Test - title 'Authorization code is used correctly' + class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test + title 'Client Authorization code is used correctly' id :udap_security_client_auth_code_usage description %( Client applications SHALL use the authorization code correctly by: From d0e20e299d7158decd1e590c2c348fdaa3300ebf Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Thu, 10 Jul 2025 01:04:52 -0400 Subject: [PATCH 04/13] Change to verb --- ...b2b_authorization_extension_object_test.rb | 22 +++++++++---------- .../client_authorization_code_usage_test.rb | 10 ++++----- .../client_security_csrf_protection_test.rb | 16 +++++++------- .../idp_supports_required_scopes_test.rb | 6 ++--- .../client/jti_reuse_prevention_test.rb | 8 +++---- .../client/metadata_interpretation_test.rb | 8 +++---- .../preferred_identity_provider_test.rb | 10 ++++----- .../client/private_key_authentication_test.rb | 8 +++---- ...opes_identity_provider_interaction_test.rb | 16 +++++++------- .../software_statement_registration_test.rb | 12 +++++----- .../token_request_authentication_test.rb | 10 ++++----- .../trust_community_query_parameters_test.rb | 7 +++--- .../client/validation_confidentiality_test.rb | 12 +++++----- .../client_attestation_group.rb | 2 +- .../access_token_lifetime_test.rb | 6 ++--- .../access_token_request_validation_test.rb | 6 ++--- .../authorization_code_usage_test.rb | 6 ++--- .../certification_handling_test.rb | 12 +++++----- .../client_id_modification_test.rb | 6 ++--- ...mic_client_registration_validation_test.rb | 6 ++--- .../invalid_id_token_test.rb | 6 ++--- .../invalid_redirection_uri_test.rb | 6 ++--- .../state_mismatch_test.rb | 4 ++-- .../unauthenticated_user_test.rb | 6 ++--- .../valid_state_error_response_test.rb | 6 ++--- .../access_token_validation_test.rb | 9 ++++---- .../id_token_validation_test.rb | 9 ++++---- .../token_response_validation_test.rb | 9 ++++---- .../idp_authentication_request_test.rb | 6 ++--- .../idp_dynamic_registration_test.rb | 8 ++++--- .../idp_metadata_validation_test.rb | 8 ++++--- .../idp_token_exchange_test.rb | 6 ++--- ..._authorization_extensions_required_test.rb | 6 ++--- .../udap_community_parameter_support_test.rb | 6 ++--- ...p_metadata_endpoint_error_handling_test.rb | 6 ++--- .../udap_metadata_representation_test.rb | 6 ++--- .../udap_profiles_supported_test.rb | 6 ++--- ...uthentication_request_construction_test.rb | 16 +++++++------- .../authentication_request_validation_test.rb | 18 +++++++-------- .../csrf_protection_test.rb | 8 ++++--- .../unauthenticated_client_security_test.rb | 8 ++++--- 41 files changed, 181 insertions(+), 171 deletions(-) diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb index 6263d0d..6cd37df 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test - title 'B2B Authorization Extension Object Compliance' + title 'Complies with B2B Authorization Extension Object' id :udap_security_b2b_authorization_extension_object description %( - Client applications SHALL comply with the requirements for the B2B Authorization Extension Object: - - `subject_name` SHALL be required if known for human or non-human requestors. - - `subject_id` SHALL be required if known for human requestors when `subject_name` is present. - - `subject_id` SHALL be the National Provider Identifier (NPI) for US Realm human requestors. - - `subject_id` SHALL be omitted for non-human requestors or requestors without an NPI. - - `consent_reference` SHALL include resolvable URLs and SHALL be omitted if `consent_policy` is not present. + Client applications complies with requirements for the B2B Authorization Extension Object and: + - Includes `subject_name` parameter if it is known for human or non-human requestors. + - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present. + - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm. + - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party + - Omits `consent_reference` if `consent_policy` is not present. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@203', 'hl7.fhir.us.udap-security_1.0.0@204', @@ -20,7 +20,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@221' input :subject_name_compliance, - title: "Client application includes `subject_name` if known", + title: "Includes `subject_name` if known", description: %( I attest that the client application includes the `subject_name` parameter if it is known for human or non-human requestors. ), @@ -44,7 +44,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test optional: true input :subject_id_compliance, - title: "Client application includes `subject_id` for human requestors when `subject_name` is present", + title: "Includes `subject_id` for human requestors when `subject_name` is present", description: %( I attest that the client application includes the `subject_id` parameter for human requestors when the `subject_name` parameter is present. ), @@ -68,7 +68,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test optional: true input :subject_id_npi_compliance, - title: "Client application uses NPI for `subject_id` in US Realm human requestors", + title: "Uses NPI for `subject_id` in US Realm human requestors", description: %( I attest that the client application uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm. ), @@ -92,7 +92,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test optional: true input :consent_reference_compliance, - title: "Client application ensures `consent_reference` URLs are resolvable", + title: "Ensures `consent_reference` URLs are resolvable", description: %( I attest that the client application ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party and omits `consent_reference` if `consent_policy` is not present. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb index b558f76..3914ed2 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb @@ -1,17 +1,17 @@ module UDAPSecurityTestKit class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test - title 'Client Authorization code is used correctly' + title 'Uses authorization code correctly' id :udap_security_client_auth_code_usage description %( - Client applications SHALL use the authorization code correctly by: - - Ensuring the authorization code is not used more than once. - - Requesting an authorization code as per Section 4.1.1 of RFC 6749. + Client application uses the authorization code correctly by: + - Ensuring the authorization code is not used more than once. + - Requesting an authorization code as per Section 4.1.1 of RFC 6749. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@136', 'hl7.fhir.us.udap-security_1.0.0@188' input :authorization_code_usage_correctly, - title: "Authorization code is used correctly", + title: "Uses authorization code correctly", description: %( I attest that the client application uses the authorization code correctly by: - Ensuring the authorization code is not used more than once. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb index 9126bc7..e88136f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb @@ -1,19 +1,19 @@ module UDAPSecurityTestKit class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test - title 'Client Security and CSRF Protection Compliance' + title 'Complies with Client Security and CSRF Protection' id :udap_security_client_security_csrf_protection description %( - Client applications SHALL comply with the requirements for Client Security and CSRF Protection: - - Implement CSRF protection for its redirection URI. - - Use a binding value for CSRF protection that contains a non-guessable value. - - Ensure the user-agent's authenticated state is accessible only to the client and user-agent, protected by the same-origin policy. + Client applications complies with the requirements for Client Security and CSRF Protection: + - Implements CSRF protection for its redirection URI. + - Uses a binding value for CSRF protection that contains a non-guessable value. + - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by the same-origin policy. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@275', 'hl7.fhir.us.udap-security_1.0.0@276', 'hl7.fhir.us.udap-security_1.0.0@277' input :csrf_protection_implementation, - title: "Client application implements CSRF protection for its redirection URI", + title: "Implements CSRF protection for its redirection URI", description: %( I attest that the client application implements CSRF protection for its redirection URI to prevent cross-site request forgery attacks. ), @@ -37,7 +37,7 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test optional: true input :csrf_binding_value_compliance, - title: "Client application uses a non-guessable binding value for CSRF protection", + title: "Uses a non-guessable binding value for CSRF protection", description: %( I attest that the client application uses a binding value for CSRF protection that contains a non-guessable value to ensure security. ), @@ -61,7 +61,7 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test optional: true input :authenticated_state_protection, - title: "Client application ensures authenticated state is protected by same-origin policy", + title: "Ensures authenticated state is protected by same-origin policy", description: %( I attest that the client application ensures the user-agent's authenticated state is stored in a location accessible only to the client and user-agent, protected by the same-origin policy. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb index eba71e5..8421323 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class IdPSupportsRequiredScopesAttestationTest < Inferno::Test - title 'IdP supports required scopes' + title 'Supports required scopes in IdPs' id :udap_security_idp_supports_scopes description %( - Identity Providers (IdPs) SHALL include `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. + Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235' input :idp_supports_required_scopes, - title: "IdP supports required scopes", + title: "Supports required scopes", description: %( I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb index a841ed5..2841086 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb @@ -1,15 +1,15 @@ module UDAPSecurityTestKit class JTIReusePreventionAttestationTest < Inferno::Test - title 'Client prevents reuse of JTI values in authentication tokens' + title 'Prevents reuse of JTI values in authentication tokens' id :udap_security_jti_reuse_prevention description %( - Client applications SHALL prevent reuse of JTI values in authentication tokens by: - - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. + Client application prevents reuse of JTI values in authentication tokens by: + - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159' input :jti_reuse_prevention_correctly, - title: "Client prevents reuse of JTI values in authentication tokens", + title: "Prevents reuse of JTI values in authentication tokens", description: %( I attest that the client application prevents reuse of JTI values in authentication tokens by: - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb index cdf2b65..bb1db85 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb @@ -1,11 +1,11 @@ module UDAPSecurityTestKit class MetadataInterpretationAttestationTest < Inferno::Test - title 'Client interprets metadata correctly' + title 'Interprets metadata correctly' id :udap_security_metadata_interpretation description %( - Client applications SHALL interpret metadata correctly by: - - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. - - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. + Client application interprets metadata correctly by: + - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. + - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@20', 'hl7.fhir.us.udap-security_1.0.0@21' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb index c6e36b0..a916027 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb @@ -1,17 +1,17 @@ module UDAPSecurityTestKit class PreferredIdentityProviderAttestationTest < Inferno::Test - title 'Client indicates preferred Identity Provider' + title 'Indicates preferred Identity Provider' id :udap_security_preferred_idp description %( - Client applications SHALL indicate the preferred Identity Provider (IdP) to the data holder by: - - Adding `udap` to the list of scopes provided in the `scope` query parameter. - - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. + Client application indicates the preferred Identity Provider (IdP) to the data holder by: + - Adding `udap` to the list of scopes provided in the `scope` query parameter. + - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236', 'hl7.fhir.us.udap-security_1.0.0@237' input :indicates_preferred_idp, - title: "Client indicates preferred Identity Provider", + title: "Indicates preferred Identity Provider", description: %( I attest that the client application indicates the preferred Identity Provider (IdP) to the data holder by: - Adding `udap` to the list of scopes provided in the `scope` query parameter. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb index 735c95f..5cc1974 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb @@ -1,16 +1,16 @@ module UDAPSecurityTestKit class PrivateKeyAuthenticationAttestationTest < Inferno::Test - title 'Client uses private key authentication correctly' + title 'Uses private key authentication correctly' id :udap_security_private_key_authentication description %( - Client applications SHALL use private key authentication correctly by: - - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. + Client application uses private key authentication correctly by: + - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@164', 'hl7.fhir.us.udap-security_1.0.0@224' input :private_key_authentication_correctly, - title: "Client uses private key authentication correctly", + title: "Uses private key authentication correctly", description: %( I attest that the client application uses private key authentication correctly by: - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb index 1af1ca7..768976e 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb @@ -1,19 +1,19 @@ module UDAPSecurityTestKit class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test - title 'Scopes and Identity Provider Interaction Compliance' + title 'Complies with Scopes and Identity Provider Interaction' id :udap_security_scopes_identity_provider_interaction description %( - Client applications SHALL comply with the requirements for Scopes and Identity Provider Interaction: - - The client app indicates the preferred Identity Provider by adding `udap` to the list of scopes in the `scope` query parameter. - - The `scope` query parameter of the authentication request SHALL contain at least the values `openid` and `udap`. - - The Identity Provider SHALL authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications. + Client applications complies with the requirements for Scopes and Identity Provider Interaction: + - Client application includes `udap` in the list of scopes provided in the `scope` query parameter to indicate the preferred Identity Provider. + - Client application authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. + - Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236', 'hl7.fhir.us.udap-security_1.0.0@256', 'hl7.fhir.us.udap-security_1.0.0@257' input :scope_includes_udap, - title: "Client application includes `udap` in the `scope` query parameter", + title: "Includes `udap` in the `scope` query parameter", description: %( I attest that the client application includes `udap` in the list of scopes provided in the `scope` query parameter to indicate the preferred Identity Provider. ), @@ -37,7 +37,7 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test optional: true input :scope_contains_openid_udap, - title: "Client application ensures `scope` query parameter contains `openid` and `udap`", + title: "Ensures `scope` query parameter contains `openid` and `udap`", description: %( I attest that the client application ensures the `scope` query parameter of the authentication request contains at least the values `openid` and `udap`. ), @@ -61,7 +61,7 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test optional: true input :idp_authentication_compliance, - title: "Identity Provider authenticates user as per OIDC Core and UDAP Tiered OAuth specifications", + title: "Authenticates user as per OIDC Core and UDAP Tiered OAuth specifications", description: %( I attest that the Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb index 61dc7ef..a913616 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb @@ -1,17 +1,17 @@ module UDAPSecurityTestKit class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test - title 'Software Statement and Registration Compliance' + title 'Complies with Software Statement and Registration' id :udap_security_software_statement_registration description %( - Client applications SHALL comply with the requirements for Software Statement and Registration: - - The `jti` claim in the JWT SHALL NOT be reused before the `exp` claim has passed. - - A registration response with an empty `grant_types` array SHALL be interpreted as a cancellation of the `client_id` registration by the Authorization Server. + Client complies with the requirements for Software Statement and Registration: + - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. + - Interprets a registration response containing an empty `grant_types` array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@82', 'hl7.fhir.us.udap-security_1.0.0@123' input :jti_reuse_compliance, - title: "Client application does not reuse the `jti` claim before the `exp` claim has passed", + title: "Ensures that the `jti` claim in the JWT is not reused before the `exp` claim has passed", description: %( I attest that the client application ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. ), @@ -35,7 +35,7 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test optional: true input :grant_types_empty_array_compliance, - title: "Client application interprets empty `grant_types` array as registration cancellation", + title: "Interprets empty `grant_types` array as registration cancellation", description: %( I attest that the client application interprets a registration response containing an empty `grant_types` array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb index f94a2f9..88039a8 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -1,17 +1,17 @@ module UDAPSecurityTestKit class TokenRequestAuthenticationAttestationTest < Inferno::Test - title 'Client authenticates correctly when making token requests' + title 'Authenticates correctly when making token requests' id :udap_security_token_request_authentication description %( - Client applications SHALL authenticate correctly when making token requests by: - - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. - - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. + Client application authenticates correctly when making token requests by: + - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. + - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144', 'openid.connect.core@280' input :token_request_authentication_correctly, - title: "Client authenticates correctly when making token requests", + title: "Authenticates correctly when making token requests", description: %( I attest that the client application authenticates correctly when making token requests by: - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb index ea6ea90..197dfc1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb @@ -1,15 +1,14 @@ module UDAPSecurityTestKit class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test - title 'Trust Community and Query Parameters Compliance' + title 'Complies with Trust Community and Query Parameter' id :udap_security_trust_community_query_parameters description %( - Client applications SHALL comply with the requirements for Trust Community and Query Parameters: - - When the client adds the `community` query parameter, the value SHALL be a URI as determined by the trust community. + Client application ensures the value of the `community` query parameter is a valid URI as determined by the trust community. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@61' input :community_query_parameter_compliance, - title: "Client application ensures `community` query parameter value is a valid URI", + title: "Complies with Trust Community and Query Parameter", description: %( I attest that the client application ensures the value of the `community` query parameter is a valid URI as determined by the trust community. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb index 9afc6a5..74bee82 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb @@ -1,17 +1,17 @@ module UDAPSecurityTestKit class ValidationAndConfidentialityAttestationTest < Inferno::Test - title 'Validation and Confidentiality Compliance' + title 'Complies with Validation and Confidentiality' id :udap_security_validation_confidentiality description %( - Client applications SHALL comply with the requirements for Validation and Confidentiality: - - Validate the `state` parameter returned by the Resource Holder in response to an authorization request. - - Ensure confidentiality of client passwords and other client credentials. + Client applications complies with the requirements for Validation and Confidentiality: + - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to ensure it matches the value sent in the original request. + - Ensures confidentiality of client passwords and other client credentials by securely storing and transmitting them. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@274', 'hl7.fhir.us.udap-security_1.0.0@286' input :state_parameter_validation, - title: "Client application validates the `state` parameter returned by the Resource Holder", + title: "Complies with Validation and Confidentiality", description: %( I attest that the client application validates the `state` parameter returned by the Resource Holder in response to an authorization request to ensure it matches the value sent in the original request. ), @@ -35,7 +35,7 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test optional: true input :client_credentials_confidentiality, - title: "Client application ensures confidentiality of client passwords and credentials", + title: "Ensures confidentiality of client passwords and credentials", description: %( I attest that the client application ensures confidentiality of client passwords and other client credentials by securely storing and transmitting them. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb index 109b2af..fdb9eaf 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb @@ -1,4 +1,4 @@ -require_relative 'client/authorization_code_usage_test' +require_relative 'client/client_authorization_code_usage_test' require_relative 'client/b2b_authorization_extension_object_test' require_relative 'client/client_security_csrf_protection_test' require_relative 'client/idp_supports_required_scopes_test' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb index cd6a1e8..b6d87aa 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class AccessTokenLifetimeAttestationTest < Inferno::Test - title 'Access tokens have a lifetime of no longer than 60 minutes' + title 'Limits lifetime of access tokens to no longer than 60 minutes' id :udap_security_access_token_lifetime description %( - The Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes for all successful token requests. + The Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful token requests. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@184' input :access_token_lifetime_correct, - title: "Access tokens have a lifetime of no longer than 60 minutes", + title: "Authorization Code and Token Requests: Limits lifetime of access tokens to no longer than 60 minutes", description: %( I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful token requests. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb index 3755d19..2e9c7fc 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb @@ -1,9 +1,9 @@ module UDAPSecurityTestKit class AccessTokenRequestValidationAttestationTest < Inferno::Test - title 'Access token request is validated correctly' + title 'Validates access token requests correctly' id :udap_security_access_token_request_validation description %( - The Authorization Server SHALL validate access token requests by: + The Authorization Server validates access token requests by: - Requiring client authentication for confidential clients or clients issued credentials. - Authenticating the client if client authentication is included. - Verifying that the authorization code is valid. @@ -15,7 +15,7 @@ class AccessTokenRequestValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@150' input :access_token_request_validation_correct, - title: "Access token request is validated correctly", + title: "Authorization Code and Token Requests: Validates access token requests correctly", description: %( I attest that the Authorization Server validates access token requests by: - Requiring client authentication for confidential clients or clients issued credentials. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb index 26e5ba2..0d8d313 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb @@ -1,9 +1,9 @@ module UDAPSecurityTestKit class AuthorizationCodeUsageAttestationTest < Inferno::Test - title 'Authorization code is used correctly' + title 'Ensures authorization code is used correctly' id :udap_security_auth_code_usage description %( - The Authorization Server SHALL ensure that: + The Authorization Server ensures that: - Authorization codes are not used more than once. - Authorization codes expire shortly after issuance to mitigate the risk of leaks. ) @@ -11,7 +11,7 @@ class AuthorizationCodeUsageAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@137' input :authorization_code_usage_correct, - title: "Authorization code is used correctly", + title: "Authorization Code and Token Requests: Ensures Authorization Code is used correctly", description: %( I attest that the Authorization Server ensures: - Authorization codes are not used more than once. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb index d068e82..bd49beb 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb @@ -1,19 +1,19 @@ module UDAPSecurityTestKit class CertificationHandlingAttestationTest < Inferno::Test - title 'Authorization Server handles certifications correctly' + title 'Handles certifications correctly' id :udap_security_certification_handling description %( - The Authorization Server SHALL: - - Ignore unsupported or unrecognized certifications. - - Communicate required certifications via the `udap_certifications_required` element in its UDAP metadata. + The Authorization Server handles certifications correctly: + - Ignores unsupported or unrecognized certifications. + - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@116', 'hl7.fhir.us.udap-security_1.0.0@118' input :certification_handling_correct, - title: "Authorization Server handles certifications correctly", + title: "Dynamic Client Registration: Handles certifications correctly", description: %( - I attest that the Authorization Server: + I attest that the Authorization Server handles certifications correctly: - Ignores unsupported or unrecognized certifications. - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb index 7a99d57..015dfe3 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class ClientIDModificationAttestationTest < Inferno::Test - title 'Authorization Server handles client ID modification correctly' + title 'Handles client ID modification correctly' id :udap_security_client_id_modification description %( - If the Authorization Server returns a different `client_id` in response to a registration modification request, it SHALL cancel the registration for the previous `client_id`. + Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` in response to a registration modification request. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@121' input :client_id_modification_correct, - title: "Authorization Server handles client ID modification correctly", + title: "Dynamic Client Registration: Handles client ID modification correctly", description: %( I attest that the Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` in response to a registration modification request. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb index a6eb540..2c22c89 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb @@ -1,9 +1,9 @@ module UDAPSecurityTestKit class DynamicClientRegistrationValidationAttestationTest < Inferno::Test - title 'Dynamic Client Registration request is validated correctly' + title 'Validates requests correctly' id :udap_security_dynamic_client_registration_validation description %( - The Authorization Server SHALL validate dynamic client registration requests by: + The Authorization Server validates dynamic client registration requests by: - Ensuring the `sub` value matches the `iss` value. - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL. - Ensuring the software statement is unexpired. @@ -13,7 +13,7 @@ class DynamicClientRegistrationValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@109' input :dynamic_client_registration_validation_correct, - title: "Dynamic Client Registration request is validated correctly", + title: "Dynamic Client Registration: Validates requests correctly", description: %( I attest that the Authorization Server validates dynamic client registration requests by: - Ensuring the `sub` value matches the `iss` value. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb index 9852abc..e69b281 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class InvalidIDTokenErrorAttestationTest < Inferno::Test - title 'Invalid ID Token error is handled correctly' + title 'Handles invalid ID token error correctly' id :udap_security_invalid_id_token_error description %( - If the IdP does not return an ID Token or validation fails, the Data Holder MAY return an `invalid_idp` error code or attempt alternate authentication. + Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP does not return an ID Token or validation fails. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@291' input :invalid_id_token_error_handling_correct, - title: "Invalid ID Token error is handled correctly", + title: "Error Handling: Handles invalid ID token error correctly", description: %( I attest that the Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP does not return an ID Token or validation fails. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb index f2cd8a9..77fd508 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class InvalidRedirectionURIAttestationTest < Inferno::Test - title 'Invalid redirection URI is handled correctly' + title 'Handles invalid redirection URI correctly' id :udap_security_invalid_redirection_uri description %( - The Authorization Server MUST NOT redirect the user-agent to an invalid redirection URI if the request fails due to a missing or invalid redirection URI. + The Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request fails due to a missing or invalid redirection URI. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@242' input :invalid_redirection_uri_handling_correct, - title: "Invalid redirection URI is handled correctly", + title: "Error Handling: Handles Invalid redirection URI correctly", description: %( I attest that the Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request fails due to a missing or invalid redirection URI. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb index ab52fde..1975bd4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb @@ -1,6 +1,6 @@ module UDAPSecurityTestKit class StateMismatchErrorAttestationTest < Inferno::Test - title 'State mismatch error is handled correctly' + title 'Handles state mismatch error correctly' id :udap_security_state_mismatch_error description %( If the `state` parameter does NOT match, the Resource Holder MUST terminate the workflow and redirect with a `server_error`. @@ -8,7 +8,7 @@ class StateMismatchErrorAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@271' input :state_mismatch_error_handling_correct, - title: "State mismatch error is handled correctly", + title: "Error Handling: State mismatch error is handled correctly", description: %( I attest that the Resource Holder terminates the workflow and redirects with a `server_error` when the `state` parameter does NOT match. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb index 48251e9..60fbe20 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class UnauthenticatedUserErrorAttestationTest < Inferno::Test - title 'Unauthenticated user error is handled correctly' + title 'Handles unauthenticated user error correctly' id :udap_security_unauthenticated_user_error description %( - If the Data Holder cannot resolve the authenticated user, it SHALL return an `access_denied` error response. + Data Holder returns an `access_denied` error response when it cannot resolve the authenticated user. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@296' input :unauthenticated_user_error_handling_correct, - title: "Unauthenticated user error is handled correctly", + title: "Error Handling: Handles unauthenticated user error correctly", description: %( I attest that the Data Holder returns an `access_denied` error response when it cannot resolve the authenticated user. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb index 98969a4..7231d1d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class ValidStateErrorResponseAttestationTest < Inferno::Test - title 'Valid state error response is handled correctly' + title 'Handles valid state error correctly' id :udap_security_valid_state_error_response description %( - If the `state` value is valid on an error response, the Resource Holder MUST redirect with an `access_denied` error code. + Resource Holder redirects with an `access_denied` error code when the `state` value is valid on an error response. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@273' input :valid_state_error_response_handling_correct, - title: "Valid state error response is handled correctly", + title: "Error Handling: Handles valid state error correctly", description: %( I attest that the Resource Holder redirects with an `access_denied` error code when the `state` value is valid on an error response. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb index 76e06d1..08d2c50 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb @@ -1,16 +1,17 @@ module UDAPSecurityTestKit class AccessTokenValidationAttestationTest < Inferno::Test - title 'Access Token is validated correctly' + title 'Validates access token correctly' id :udap_security_access_token_validation description %( - The Data Holder SHALL validate the Access Token as per the Access Token validation rules. - This includes verifying the token's integrity, claims, and expiration. + Data Holder validates the Access Token as per the Access Token validation rules, including: + - Verifying the token's integrity. + - Checking claims such as `exp` and other relevant attributes. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283', 'hl7.fhir.us.udap-security_1.0.0@290' input :access_token_validation_correct, - title: "Access Token is validated correctly", + title: "ID Token and Access Token Validation: Validates access token correctly", description: %( I attest that the Data Holder validates the Access Token as per the Access Token validation rules, including: - Verifying the token's integrity. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb index 9c453f1..37f1355 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb @@ -1,16 +1,17 @@ module UDAPSecurityTestKit class IDTokenValidationAttestationTest < Inferno::Test - title 'ID Token is validated correctly' + title 'Validates ID Token correctly' id :udap_security_id_token_validation description %( - The Data Holder SHALL validate the ID Token as per OIDC Core specifications. - This includes verifying the token's signature, claims, issuer, audience, and expiration. + Data Holder validates the ID Token as per OIDC Core specifications, including: + - Verifying the token's signature. + - Checking claims such as `iss`, `aud`, and `exp`. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@282', 'hl7.fhir.us.udap-security_1.0.0@289' input :id_token_validation_correct, - title: "ID Token is validated correctly", + title: "ID Token and Access Token Validation: ID Token is validated correctly", description: %( I attest that the Data Holder validates the ID Token as per OIDC Core specifications, including: - Verifying the token's signature. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb index 3698a90..4df3ec5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb @@ -1,17 +1,18 @@ module UDAPSecurityTestKit class TokenResponseValidationAttestationTest < Inferno::Test - title 'Token Response is validated correctly' + title 'Validates token response correctly' id :udap_security_token_response_validation description %( - The Client MUST validate the Token Response as per RFC 6749 and OIDC Core specifications. - This includes ensuring the presence of required parameters such as `access_token` and `token_type`. + Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including: + - Ensuring the presence of `access_token` and `token_type` parameters. + - Validating the response structure and data integrity. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283', 'hl7.fhir.us.udap-security_1.0.0@284', 'hl7.fhir.us.udap-security_1.0.0@285' input :token_response_validation_correct, - title: "Token Response is validated correctly", + title: "ID Token and Access Token Validation: Validates token response correctly", description: %( I attest that the Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including: - Ensuring the presence of `access_token` and `token_type` parameters. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb index 7242355..1abb417 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class IdPAuthenticationRequestAttestationTest < Inferno::Test - title 'Authentication request is made to the IdP’s authorization endpoint' + title 'Performs Authentication request to the IdP’s authorization endpoint' id :udap_security_idp_authentication_request description %( - If the IdP is trusted, the Data Holder SHALL make an authentication request to the IdP’s authorization endpoint. + Data Holder makes an authentication request to the IdP’s authorization endpoint when the IdP is trusted. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@245' input :idp_authentication_request_correct, - title: "Authentication request is made to the IdP’s authorization endpoint", + title: "Interaction with Identity Providers (IdPs): Performs Authentication request to the IdP’s authorization endpoint", description: %( I attest that the Data Holder makes an authentication request to the IdP’s authorization endpoint when the IdP is trusted. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb index 577ed2b..d3429ff 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb @@ -1,14 +1,16 @@ module UDAPSecurityTestKit class IdPDynamicRegistrationAttestationTest < Inferno::Test - title 'IdP dynamic registration is performed if supported' + title 'Performs IdP dynamic registration if supported' id :udap_security_idp_dynamic_registration description %( - If the IdP is trusted and supports UDAP Dynamic Registration, the Data Holder SHALL register as a client. + Data Holder registers as a client with the IdP if: + - The IdP is trusted. + - The IdP supports UDAP Dynamic Registration. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@239' input :idp_dynamic_registration_correct, - title: "IdP dynamic registration is performed if supported", + title: "Interaction with Identity Providers (IdPs): Performs IdP dynamic registration if supported", description: %( I attest that the Data Holder registers as a client with the IdP if: - The IdP is trusted. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb index 0de66cf..364f503 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb @@ -1,14 +1,16 @@ module UDAPSecurityTestKit class IdPMetadataValidationAttestationTest < Inferno::Test - title 'IdP metadata is validated to determine trust' + title 'Validates IdP metadata to determine trust' id :udap_security_idp_metadata_validation description %( - The Data Holder SHALL validate the IdP’s UDAP metadata to determine trustworthiness before interacting with the IdP. + Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including: + - Verifying the authenticity of the metadata. + - Ensuring the metadata meets UDAP specifications. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@238' input :idp_metadata_validation_correct, - title: "IdP metadata is validated to determine trust", + title: "Interaction with Identity Providers (IdPs): Validates IdP metadata to determine trust", description: %( I attest that the Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including: - Verifying the authenticity of the metadata. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb index 68feb30..fa24c1d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class IdPTokenExchangeAttestationTest < Inferno::Test - title 'Code is exchanged for tokens after successful authentication response' + title 'Exchanges code for tokens after successful authentication response' id :udap_security_idp_token_exchange description %( - If the IdP returns a successful authentication response, the Data Holder SHALL exchange the authorization code for tokens. + Data Holder exchanges the authorization code for tokens after receiving a successful authentication response from the IdP. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@279' input :idp_token_exchange_correct, - title: "Code is exchanged for tokens after successful authentication response", + title: "Interaction with Identity Providers (IdPs): Exchanges code for tokens after successful authentication response", description: %( I attest that the Data Holder exchanges the authorization code for tokens after receiving a successful authentication response from the IdP. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb index c6839fb..ef7450f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test - title 'UDAP Metadata includes required authorization extensions' + title 'Includes required authorization extensions' id :udap_security_authorization_extensions_required description %( - If the Authorization Server requires the B2B Authorization Extension Object, the `udap_authorization_extensions_required` list SHALL include `["hl7-b2b"]`. + Server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@32' input :udap_authorization_extensions_required_correct, - title: "UDAP Metadata includes required authorization extensions", + title: "UDAP Metadata and Server Capabilities: Includes required authorization extensions", description: %( I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb index cad0254..d5d1cd3 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class CommunityParameterSupportAttestationTest < Inferno::Test - title 'Server supports community parameter correctly' + title 'Supports community parameter correctly' id :udap_security_community_parameter_support description %( - If a server supports the `community` parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community and use that certificate when generating the signed JWT returned for the `signed_metadata` element. + Server supports the `community` parameter correctly by selecting a certificate intended for use within the identified trust community when generating the signed JWT for the `signed_metadata` element. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@62' input :community_parameter_support_correct, - title: "Server supports community parameter correctly", + title: "UDAP Metadata and Server Capabilities: Supports community parameter correctly", description: %( I attest that the server supports the `community` parameter correctly by selecting a certificate intended for use within the identified trust community when generating the signed JWT for the `signed_metadata` element. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb index 3a74dbb..e64b646 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test - title 'UDAP Metadata endpoint correctly handles unsupported workflows' + title 'Handles unsupported workflows correctly' id :udap_security_metadata_error_handling description %( - If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request. + Server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response when no UDAP workflows are supported. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@19' input :udap_metadata_error_handling_correct, - title: "UDAP Metadata endpoint correctly handles unsupported workflows", + title: "UDAP Metadata and Server Capabilities: Handles unsupported workflows correctly", description: %( I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response when no UDAP workflows are supported. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb index 432ab6d..cb19b5a 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class UDAPMetadataRepresentationAttestationTest < Inferno::Test - title 'UDAP Metadata correctly represents server capabilities' + title 'Represents server capabilities correctly' id :udap_security_metadata_representation description %( - The server's UDAP metadata endpoint SHALL correctly represent the server’s capabilities with respect to the UDAP workflows described in the guide. + Server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP workflows described in the guide. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@18' input :udap_metadata_representation_correct, - title: "UDAP Metadata correctly represents server capabilities", + title: "UDAP Metadata and Server Capabilities: Represents server capabilities correctly", description: %( I attest that the server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP workflows described in the guide. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb index d257b16..9e29add 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class UDAPProfilesSupportedAttestationTest < Inferno::Test - title 'UDAP Metadata includes supported profiles' + title 'Includes supported profiles' id :udap_security_profiles_supported description %( - If the server supports the user authentication workflow described in Section 6, the `udap_profiles_supported` element SHALL include `udap_to` for UDAP Tiered OAuth for User Authentication. + Server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the server supports the user authentication workflow described in Section 6. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@27' input :udap_profiles_supported_correct, - title: "UDAP Metadata includes supported profiles", + title: "UDAP Metadata and Server Capabilities: Includes supported profiles", description: %( I attest that the server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the server supports the user authentication workflow described in Section 6. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb index 62396b7..62a8d02 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb @@ -1,13 +1,13 @@ module UDAPSecurityTestKit class AuthenticationRequestConstructionAttestationTest < Inferno::Test - title 'Authentication Request Construction Compliance' + title 'Complies with OpenID Connect requirements in construction' id :oidc_auth_request_construction description %( - The Authorization Server SHALL ensure that authentication requests comply with OpenID Connect requirements, including: - - Support for HTTP GET and POST methods at the Authorization Endpoint. - - Inclusion of the `openid` scope value. - - Presence and validity of required parameters such as `response_type`, `client_id`, and `redirect_uri`. - - Exact matching of the `redirect_uri` with pre-registered values. + Authorization Server complies ith OpenID Connect requirements and ensures: + - HTTP GET and POST methods are supported at the Authorization Endpoint. + - The `openid` scope value is included in requests. + - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. + - The `redirect_uri` exactly matches pre-registered values. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@246', 'hl7.fhir.us.udap-security_1.0.0@247', @@ -17,9 +17,9 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@251' input :auth_request_construction_correct, - title: "Authentication Request Construction Compliance", + title: "OpenID Connect Authentication Requests: Complies with OpenID Connect requirements", description: %( - I attest that the Authorization Server ensures: + I attest that the Authorization Server complies with OpenID Connect requirements and ensures: - HTTP GET and POST methods are supported at the Authorization Endpoint. - The `openid` scope value is included in requests. - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb index 1a0a6c3..60f9d6b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb @@ -1,14 +1,14 @@ module UDAPSecurityTestKit class AuthenticationRequestValidationAttestationTest < Inferno::Test - title 'Authentication Request Validation Compliance' + title 'OpenID Connect Authentication Requests: Complies with OpenID Connect requirements in validation' id :oidc_auth_request_validation description %( - The Authorization Server SHALL validate authentication requests according to OpenID Connect requirements, including: - - Validation of all OAuth 2.0 parameters. - - Verification that the `scope` parameter contains the `openid` value. - - Verification of the presence and conformity of required parameters. - - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. - - Implementation of CSRF and Clickjacking protections. + Authorization Server complies with OpenID Connect requirements and ensures: + - Validation of all OAuth 2.0 parameters. + - Verification that the `scope` parameter contains the `openid` value. + - Required parameters are present and conform to the specification. + - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. + - Implementation of CSRF and Clickjacking protections. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@258', 'hl7.fhir.us.udap-security_1.0.0@259', @@ -23,9 +23,9 @@ class AuthenticationRequestValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@269' input :auth_request_validation_correct, - title: "Authentication Request Validation Compliance", + title: "OpenID Connect Authentication Requests: Complies with OpenID Connect requirements in validation", description: %( - I attest that the Authorization Server ensures: + I attest that the Authorization Server complies with OpenID Connect requirements and ensures: - Validation of all OAuth 2.0 parameters. - Verification that the `scope` parameter contains the `openid` value. - Required parameters are present and conform to the specification. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb index 6196a68..bb1c1b9 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -1,14 +1,16 @@ module UDAPSecurityTestKit class CSRFProtectionAttestationTest < Inferno::Test - title 'CSRF protection is implemented for the authorization endpoint' + title 'Implements CSRF protection for the authorization endpoint' id :udap_security_csrf_protection description %( - The Authorization Server MUST implement CSRF protection for its authorization endpoint to prevent unauthorized or malicious requests. + Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: + - Use of anti-CSRF tokens. + - Validation of `state` parameter to prevent cross-site request forgery. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278' input :csrf_protection_implemented, - title: "CSRF protection is implemented for the authorization endpoint", + title: "Security Measures: Implements CSRF protection for the authorization endpoint", description: %( I attest that the Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: - Use of anti-CSRF tokens. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb index 10f8a83..d313b0b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb @@ -1,14 +1,16 @@ module UDAPSecurityTestKit class UnauthenticatedClientSecurityAttestationTest < Inferno::Test - title 'Security measures are considered for unauthenticated clients' + title 'Considers security measures for unauthenticated clients' id :udap_security_unauthenticated_clients description %( - The Authorization Server MUST consider security implications of interacting with unauthenticated clients to prevent unauthorized access or misuse. + I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: + - Restricting access to sensitive endpoints. + - Implementing rate limiting or other protective measures. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@288' input :unauthenticated_client_security_measures, - title: "Security measures are considered for unauthenticated clients", + title: "Security Measures: Considers security measures for unauthenticated clients", description: %( I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: - Restricting access to sensitive endpoints. From a8a2b25402315c420e1e2437ad602c79820b779c Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Thu, 10 Jul 2025 01:22:45 -0400 Subject: [PATCH 05/13] Linting --- lib/udap_security_test_kit/client_suite.rb | 2 +- ...b2b_authorization_extension_object_test.rb | 8 +-- .../client_authorization_code_usage_test.rb | 4 +- .../client_security_csrf_protection_test.rb | 6 +- .../idp_supports_required_scopes_test.rb | 62 +++++++++---------- .../client/jti_reuse_prevention_test.rb | 4 +- .../client/metadata_interpretation_test.rb | 6 +- .../preferred_identity_provider_test.rb | 4 +- .../client/private_key_authentication_test.rb | 6 +- ...opes_identity_provider_interaction_test.rb | 6 +- .../software_statement_registration_test.rb | 4 +- .../token_request_authentication_test.rb | 4 +- .../trust_community_query_parameters_test.rb | 2 +- .../client/validation_confidentiality_test.rb | 4 +- .../client_attestation_group.rb | 2 +- ...authorization_code_token_requests_group.rb | 2 +- .../access_token_lifetime_test.rb | 4 +- .../access_token_request_validation_test.rb | 4 +- .../authorization_code_usage_test.rb | 4 +- .../dynamic_client_registration_group.rb | 2 +- .../certification_handling_test.rb | 4 +- .../client_id_modification_test.rb | 4 +- ...mic_client_registration_validation_test.rb | 4 +- .../server/error_handling_group.rb | 2 +- .../invalid_id_token_test.rb | 4 +- .../invalid_redirection_uri_test.rb | 4 +- .../state_mismatch_test.rb | 4 +- .../unauthenticated_user_test.rb | 4 +- .../valid_state_error_response_test.rb | 4 +- .../id_token_access_token_validation_group.rb | 5 +- .../access_token_validation_test.rb | 4 +- .../id_token_validation_test.rb | 4 +- .../token_response_validation_test.rb | 4 +- .../identity_provider_interaction_group.rb | 2 +- .../idp_authentication_request_test.rb | 4 +- .../idp_dynamic_registration_test.rb | 4 +- .../idp_metadata_validation_test.rb | 4 +- .../idp_token_exchange_test.rb | 4 +- .../metadata_server_capabilities_group.rb | 2 +- ..._authorization_extensions_required_test.rb | 4 +- .../udap_community_parameter_support_test.rb | 4 +- ...p_metadata_endpoint_error_handling_test.rb | 4 +- .../udap_metadata_representation_test.rb | 4 +- .../udap_profiles_supported_test.rb | 4 +- ...d_connect_authentication_requests_group.rb | 2 +- ...uthentication_request_construction_test.rb | 4 +- .../authentication_request_validation_test.rb | 4 +- .../server/security_measures_group.rb | 2 +- .../csrf_protection_test.rb | 4 +- .../unauthenticated_client_security_test.rb | 4 +- .../server_attestation_group.rb | 3 +- 51 files changed, 125 insertions(+), 129 deletions(-) diff --git a/lib/udap_security_test_kit/client_suite.rb b/lib/udap_security_test_kit/client_suite.rb index 4a23736..25c964c 100644 --- a/lib/udap_security_test_kit/client_suite.rb +++ b/lib/udap_security_test_kit/client_suite.rb @@ -114,7 +114,7 @@ class UDAPSecurityClientTestSuite < Inferno::TestSuite required_suite_options: { client_type: UDAPClientOptions::UDAP_CLIENT_CREDENTIALS } - + group from: :udap_client_v100_visual_inspection_and_attestation end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb index 6cd37df..4bf7d1c 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -20,7 +20,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@221' input :subject_name_compliance, - title: "Includes `subject_name` if known", + title: 'Includes `subject_name` if known', description: %( I attest that the client application includes the `subject_name` parameter if it is known for human or non-human requestors. ), @@ -44,7 +44,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test optional: true input :subject_id_compliance, - title: "Includes `subject_id` for human requestors when `subject_name` is present", + title: 'Includes `subject_id` for human requestors when `subject_name` is present', description: %( I attest that the client application includes the `subject_id` parameter for human requestors when the `subject_name` parameter is present. ), @@ -68,7 +68,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test optional: true input :subject_id_npi_compliance, - title: "Uses NPI for `subject_id` in US Realm human requestors", + title: 'Uses NPI for `subject_id` in US Realm human requestors', description: %( I attest that the client application uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm. ), @@ -92,7 +92,7 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test optional: true input :consent_reference_compliance, - title: "Ensures `consent_reference` URLs are resolvable", + title: 'Ensures `consent_reference` URLs are resolvable', description: %( I attest that the client application ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party and omits `consent_reference` if `consent_policy` is not present. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb index 3914ed2..6852db4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb @@ -11,7 +11,7 @@ class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@188' input :authorization_code_usage_correctly, - title: "Uses authorization code correctly", + title: 'Uses authorization code correctly', description: %( I attest that the client application uses the authorization code correctly by: - Ensuring the authorization code is not used more than once. @@ -38,7 +38,7 @@ class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test run do assert authorization_code_usage_correctly == 'true', - 'Client application did not demonstrate correct usage of the authorization code.' + 'Client application did not demonstrate correct usage of the authorization code.' pass authorization_code_usage_correctly_note if authorization_code_usage_correctly_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb index e88136f..a8e73fe 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb @@ -13,7 +13,7 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@277' input :csrf_protection_implementation, - title: "Implements CSRF protection for its redirection URI", + title: 'Implements CSRF protection for its redirection URI', description: %( I attest that the client application implements CSRF protection for its redirection URI to prevent cross-site request forgery attacks. ), @@ -37,7 +37,7 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test optional: true input :csrf_binding_value_compliance, - title: "Uses a non-guessable binding value for CSRF protection", + title: 'Uses a non-guessable binding value for CSRF protection', description: %( I attest that the client application uses a binding value for CSRF protection that contains a non-guessable value to ensure security. ), @@ -61,7 +61,7 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test optional: true input :authenticated_state_protection, - title: "Ensures authenticated state is protected by same-origin policy", + title: 'Ensures authenticated state is protected by same-origin policy', description: %( I attest that the client application ensures the user-agent's authenticated state is stored in a location accessible only to the client and user-agent, protected by the same-origin policy. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb index 8421323..f4210c8 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb @@ -1,40 +1,40 @@ module UDAPSecurityTestKit class IdPSupportsRequiredScopesAttestationTest < Inferno::Test - title 'Supports required scopes in IdPs' - id :udap_security_idp_supports_scopes - description %( + title 'Supports required scopes in IdPs' + id :udap_security_idp_supports_scopes + description %( Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. ) - verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235' - input :idp_supports_required_scopes, - title: "Supports required scopes", - description: %( + input :idp_supports_required_scopes, + title: 'Supports required scopes', + description: %( I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :idp_supports_required_scopes_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_supports_required_scopes_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true - run do - assert idp_supports_required_scopes == 'true', - 'Identity Provider (IdP) did not demonstrate support for required scopes.' - pass idp_supports_required_scopes_note if idp_supports_required_scopes_note.present? - end + run do + assert idp_supports_required_scopes == 'true', + 'Identity Provider (IdP) did not demonstrate support for required scopes.' + pass idp_supports_required_scopes_note if idp_supports_required_scopes_note.present? + end end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb index 2841086..427efb5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb @@ -9,7 +9,7 @@ class JTIReusePreventionAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159' input :jti_reuse_prevention_correctly, - title: "Prevents reuse of JTI values in authentication tokens", + title: 'Prevents reuse of JTI values in authentication tokens', description: %( I attest that the client application prevents reuse of JTI values in authentication tokens by: - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. @@ -35,7 +35,7 @@ class JTIReusePreventionAttestationTest < Inferno::Test run do assert jti_reuse_prevention_correctly == 'true', - 'Client application did not demonstrate prevention of JTI reuse in authentication tokens.' + 'Client application did not demonstrate prevention of JTI reuse in authentication tokens.' pass jti_reuse_prevention_correctly_note if jti_reuse_prevention_correctly_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb index bb1db85..8790e63 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb @@ -11,7 +11,7 @@ class MetadataInterpretationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@21' input :interprets_metadata_correctly, - title: "Interprets metadata correctly", + title: 'Interprets metadata correctly', description: %( I attest that the client application interprets metadata correctly by: - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. @@ -38,8 +38,8 @@ class MetadataInterpretationAttestationTest < Inferno::Test run do assert interprets_metadata_correctly == 'true', - 'Client application did not demonstrate correct interpretation of metadata.' + 'Client application did not demonstrate correct interpretation of metadata.' pass interprets_metadata_correctly_note if interprets_metadata_correctly_note.present? end end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb index a916027..5181c20 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb @@ -11,7 +11,7 @@ class PreferredIdentityProviderAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@237' input :indicates_preferred_idp, - title: "Indicates preferred Identity Provider", + title: 'Indicates preferred Identity Provider', description: %( I attest that the client application indicates the preferred Identity Provider (IdP) to the data holder by: - Adding `udap` to the list of scopes provided in the `scope` query parameter. @@ -38,7 +38,7 @@ class PreferredIdentityProviderAttestationTest < Inferno::Test run do assert indicates_preferred_idp == 'true', - 'Client application did not demonstrate correct indication of the preferred Identity Provider.' + 'Client application did not demonstrate correct indication of the preferred Identity Provider.' pass indicates_preferred_idp_note if indicates_preferred_idp_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb index 5cc1974..1fbfe80 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb @@ -10,7 +10,7 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@224' input :private_key_authentication_correctly, - title: "Uses private key authentication correctly", + title: 'Uses private key authentication correctly', description: %( I attest that the client application uses private key authentication correctly by: - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. @@ -36,8 +36,8 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test run do assert private_key_authentication_correctly == 'true', - 'Client application did not demonstrate correct private key authentication.' + 'Client application did not demonstrate correct private key authentication.' pass private_key_authentication_correctly_note if private_key_authentication_correctly_note.present? end end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb index 768976e..6444c12 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb @@ -13,7 +13,7 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@257' input :scope_includes_udap, - title: "Includes `udap` in the `scope` query parameter", + title: 'Includes `udap` in the `scope` query parameter', description: %( I attest that the client application includes `udap` in the list of scopes provided in the `scope` query parameter to indicate the preferred Identity Provider. ), @@ -37,7 +37,7 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test optional: true input :scope_contains_openid_udap, - title: "Ensures `scope` query parameter contains `openid` and `udap`", + title: 'Ensures `scope` query parameter contains `openid` and `udap`', description: %( I attest that the client application ensures the `scope` query parameter of the authentication request contains at least the values `openid` and `udap`. ), @@ -61,7 +61,7 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test optional: true input :idp_authentication_compliance, - title: "Authenticates user as per OIDC Core and UDAP Tiered OAuth specifications", + title: 'Authenticates user as per OIDC Core and UDAP Tiered OAuth specifications', description: %( I attest that the Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb index a913616..eeb4eb3 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb @@ -11,7 +11,7 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@123' input :jti_reuse_compliance, - title: "Ensures that the `jti` claim in the JWT is not reused before the `exp` claim has passed", + title: 'Ensures that the `jti` claim in the JWT is not reused before the `exp` claim has passed', description: %( I attest that the client application ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. ), @@ -35,7 +35,7 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test optional: true input :grant_types_empty_array_compliance, - title: "Interprets empty `grant_types` array as registration cancellation", + title: 'Interprets empty `grant_types` array as registration cancellation', description: %( I attest that the client application interprets a registration response containing an empty `grant_types` array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb index 88039a8..cbcb7ab 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -11,7 +11,7 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test 'openid.connect.core@280' input :token_request_authentication_correctly, - title: "Authenticates correctly when making token requests", + title: 'Authenticates correctly when making token requests', description: %( I attest that the client application authenticates correctly when making token requests by: - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. @@ -38,7 +38,7 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test run do assert token_request_authentication_correctly == 'true', - 'Client application did not demonstrate correct authentication during token requests.' + 'Client application did not demonstrate correct authentication during token requests.' pass token_request_authentication_correctly_note if token_request_authentication_correctly_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb index 197dfc1..2a1c5df 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb @@ -8,7 +8,7 @@ class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@61' input :community_query_parameter_compliance, - title: "Complies with Trust Community and Query Parameter", + title: 'Complies with Trust Community and Query Parameter', description: %( I attest that the client application ensures the value of the `community` query parameter is a valid URI as determined by the trust community. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb index 74bee82..704f94e 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb @@ -11,7 +11,7 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@286' input :state_parameter_validation, - title: "Complies with Validation and Confidentiality", + title: 'Complies with Validation and Confidentiality', description: %( I attest that the client application validates the `state` parameter returned by the Resource Holder in response to an authorization request to ensure it matches the value sent in the original request. ), @@ -35,7 +35,7 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test optional: true input :client_credentials_confidentiality, - title: "Ensures confidentiality of client passwords and credentials", + title: 'Ensures confidentiality of client passwords and credentials', description: %( I attest that the client application ensures confidentiality of client passwords and other client credentials by securely storing and transmitting them. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb index fdb9eaf..89c949d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb @@ -36,4 +36,4 @@ class ClientAttestationGroup < Inferno::TestGroup test from: :udap_security_validation_confidentiality test from: :udap_security_trust_community_query_parameters end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb index 34c652e..61bcb51 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb @@ -12,4 +12,4 @@ class AuthorizationCodeTokenRequestsAttestationGroup < Inferno::TestGroup test from: :udap_security_access_token_request_validation test from: :udap_security_access_token_lifetime end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb index b6d87aa..6cee4e5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb @@ -8,7 +8,7 @@ class AccessTokenLifetimeAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@184' input :access_token_lifetime_correct, - title: "Authorization Code and Token Requests: Limits lifetime of access tokens to no longer than 60 minutes", + title: 'Authorization Code and Token Requests: Limits lifetime of access tokens to no longer than 60 minutes', description: %( I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful token requests. ), @@ -33,7 +33,7 @@ class AccessTokenLifetimeAttestationTest < Inferno::Test run do assert access_token_lifetime_correct == 'true', - 'Authorization Server did not issue access tokens with a lifetime no longer than 60 minutes.' + 'Authorization Server did not issue access tokens with a lifetime no longer than 60 minutes.' pass access_token_lifetime_note if access_token_lifetime_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb index 2e9c7fc..bc8174b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb @@ -15,7 +15,7 @@ class AccessTokenRequestValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@150' input :access_token_request_validation_correct, - title: "Authorization Code and Token Requests: Validates access token requests correctly", + title: 'Authorization Code and Token Requests: Validates access token requests correctly', description: %( I attest that the Authorization Server validates access token requests by: - Requiring client authentication for confidential clients or clients issued credentials. @@ -44,7 +44,7 @@ class AccessTokenRequestValidationAttestationTest < Inferno::Test run do assert access_token_request_validation_correct == 'true', - 'Authorization Server did not validate access token requests correctly.' + 'Authorization Server did not validate access token requests correctly.' pass access_token_request_validation_note if access_token_request_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb index 0d8d313..5196f4a 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb @@ -11,7 +11,7 @@ class AuthorizationCodeUsageAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@137' input :authorization_code_usage_correct, - title: "Authorization Code and Token Requests: Ensures Authorization Code is used correctly", + title: 'Authorization Code and Token Requests: Ensures Authorization Code is used correctly', description: %( I attest that the Authorization Server ensures: - Authorization codes are not used more than once. @@ -38,7 +38,7 @@ class AuthorizationCodeUsageAttestationTest < Inferno::Test run do assert authorization_code_usage_correct == 'true', - 'Authorization Server did not ensure correct usage of authorization codes.' + 'Authorization Server did not ensure correct usage of authorization codes.' pass authorization_code_usage_note if authorization_code_usage_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb index 8a92d63..58507f2 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb @@ -12,4 +12,4 @@ class DynamicClientRegistrationAttestationGroup < Inferno::TestGroup test from: :udap_security_certification_handling test from: :udap_security_client_id_modification end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb index bd49beb..75f78aa 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb @@ -11,7 +11,7 @@ class CertificationHandlingAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@118' input :certification_handling_correct, - title: "Dynamic Client Registration: Handles certifications correctly", + title: 'Dynamic Client Registration: Handles certifications correctly', description: %( I attest that the Authorization Server handles certifications correctly: - Ignores unsupported or unrecognized certifications. @@ -38,7 +38,7 @@ class CertificationHandlingAttestationTest < Inferno::Test run do assert certification_handling_correct == 'true', - 'Authorization Server did not handle certifications correctly.' + 'Authorization Server did not handle certifications correctly.' pass certification_handling_note if certification_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb index 015dfe3..a23a388 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb @@ -8,7 +8,7 @@ class ClientIDModificationAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@121' input :client_id_modification_correct, - title: "Dynamic Client Registration: Handles client ID modification correctly", + title: 'Dynamic Client Registration: Handles client ID modification correctly', description: %( I attest that the Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` in response to a registration modification request. ), @@ -33,7 +33,7 @@ class ClientIDModificationAttestationTest < Inferno::Test run do assert client_id_modification_correct == 'true', - 'Authorization Server did not handle client ID modification correctly.' + 'Authorization Server did not handle client ID modification correctly.' pass client_id_modification_note if client_id_modification_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb index 2c22c89..66af96d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb @@ -13,7 +13,7 @@ class DynamicClientRegistrationValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@109' input :dynamic_client_registration_validation_correct, - title: "Dynamic Client Registration: Validates requests correctly", + title: 'Dynamic Client Registration: Validates requests correctly', description: %( I attest that the Authorization Server validates dynamic client registration requests by: - Ensuring the `sub` value matches the `iss` value. @@ -41,7 +41,7 @@ class DynamicClientRegistrationValidationAttestationTest < Inferno::Test run do assert dynamic_client_registration_validation_correct == 'true', - 'Authorization Server did not validate dynamic client registration requests correctly.' + 'Authorization Server did not validate dynamic client registration requests correctly.' pass dynamic_client_registration_validation_note if dynamic_client_registration_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb index 0a5a5d0..76d3732 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb @@ -16,4 +16,4 @@ class ErrorHandlingAttestationGroup < Inferno::TestGroup test from: :udap_security_unauthenticated_user_error test from: :udap_security_valid_state_error_response end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb index e69b281..f6bc04d 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb @@ -8,7 +8,7 @@ class InvalidIDTokenErrorAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@291' input :invalid_id_token_error_handling_correct, - title: "Error Handling: Handles invalid ID token error correctly", + title: 'Error Handling: Handles invalid ID token error correctly', description: %( I attest that the Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP does not return an ID Token or validation fails. ), @@ -33,7 +33,7 @@ class InvalidIDTokenErrorAttestationTest < Inferno::Test run do assert invalid_id_token_error_handling_correct == 'true', - 'Data Holder does not return an `invalid_idp` error code or attempt alternate authentication when the IdP does not return an ID Token or validation fails.' + 'Data Holder does not return an `invalid_idp` error code or attempt alternate authentication when the IdP does not return an ID Token or validation fails.' pass invalid_id_token_error_handling_note if invalid_id_token_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb index 77fd508..20987a4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb @@ -8,7 +8,7 @@ class InvalidRedirectionURIAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@242' input :invalid_redirection_uri_handling_correct, - title: "Error Handling: Handles Invalid redirection URI correctly", + title: 'Error Handling: Handles Invalid redirection URI correctly', description: %( I attest that the Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request fails due to a missing or invalid redirection URI. ), @@ -33,7 +33,7 @@ class InvalidRedirectionURIAttestationTest < Inferno::Test run do assert invalid_redirection_uri_handling_correct == 'true', - 'Authorization Server redirects the user-agent to an invalid redirection URI when the request fails due to a missing or invalid URI.' + 'Authorization Server redirects the user-agent to an invalid redirection URI when the request fails due to a missing or invalid URI.' pass invalid_redirection_uri_handling_note if invalid_redirection_uri_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb index 1975bd4..83fcef7 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb @@ -8,7 +8,7 @@ class StateMismatchErrorAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@271' input :state_mismatch_error_handling_correct, - title: "Error Handling: State mismatch error is handled correctly", + title: 'Error Handling: State mismatch error is handled correctly', description: %( I attest that the Resource Holder terminates the workflow and redirects with a `server_error` when the `state` parameter does NOT match. ), @@ -33,7 +33,7 @@ class StateMismatchErrorAttestationTest < Inferno::Test run do assert state_mismatch_error_handling_correct == 'true', - 'Resource Holder does not terminate the workflow or redirect with a `server_error` when the `state` parameter does NOT match.' + 'Resource Holder does not terminate the workflow or redirect with a `server_error` when the `state` parameter does NOT match.' pass state_mismatch_error_handling_note if state_mismatch_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb index 60fbe20..1a153e3 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb @@ -8,7 +8,7 @@ class UnauthenticatedUserErrorAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@296' input :unauthenticated_user_error_handling_correct, - title: "Error Handling: Handles unauthenticated user error correctly", + title: 'Error Handling: Handles unauthenticated user error correctly', description: %( I attest that the Data Holder returns an `access_denied` error response when it cannot resolve the authenticated user. ), @@ -33,7 +33,7 @@ class UnauthenticatedUserErrorAttestationTest < Inferno::Test run do assert unauthenticated_user_error_handling_correct == 'true', - 'Data Holder does not return an `access_denied` error response when it cannot resolve the authenticated user.' + 'Data Holder does not return an `access_denied` error response when it cannot resolve the authenticated user.' pass unauthenticated_user_error_handling_note if unauthenticated_user_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb index 7231d1d..eacda3f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb @@ -8,7 +8,7 @@ class ValidStateErrorResponseAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@273' input :valid_state_error_response_handling_correct, - title: "Error Handling: Handles valid state error correctly", + title: 'Error Handling: Handles valid state error correctly', description: %( I attest that the Resource Holder redirects with an `access_denied` error code when the `state` value is valid on an error response. ), @@ -33,7 +33,7 @@ class ValidStateErrorResponseAttestationTest < Inferno::Test run do assert valid_state_error_response_handling_correct == 'true', - 'Resource Holder does not redirect with an `access_denied` error code when the `state` value is valid on an error response.' + 'Resource Holder does not redirect with an `access_denied` error code when the `state` value is valid on an error response.' pass valid_state_error_response_handling_note if valid_state_error_response_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb index aafe544..32616d9 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb @@ -2,8 +2,6 @@ require_relative 'id_token_access_token_validation_group/access_token_validation_test' require_relative 'id_token_access_token_validation_group/token_response_validation_test' - - module UDAPSecurityTestKit class IDTokenAccessTokenValidationAttestationGroup < Inferno::TestGroup id :udap_server_v100_id_token_access_token_validation_group @@ -13,6 +11,5 @@ class IDTokenAccessTokenValidationAttestationGroup < Inferno::TestGroup test from: :udap_security_id_token_validation test from: :udap_security_access_token_validation test from: :udap_security_token_response_validation - end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb index 08d2c50..0fc12dd 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb @@ -11,7 +11,7 @@ class AccessTokenValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@290' input :access_token_validation_correct, - title: "ID Token and Access Token Validation: Validates access token correctly", + title: 'ID Token and Access Token Validation: Validates access token correctly', description: %( I attest that the Data Holder validates the Access Token as per the Access Token validation rules, including: - Verifying the token's integrity. @@ -38,7 +38,7 @@ class AccessTokenValidationAttestationTest < Inferno::Test run do assert access_token_validation_correct == 'true', - 'Access Token validation is not implemented correctly as per the Access Token validation rules.' + 'Access Token validation is not implemented correctly as per the Access Token validation rules.' pass access_token_validation_note if access_token_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb index 37f1355..4c2705c 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb @@ -11,7 +11,7 @@ class IDTokenValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@289' input :id_token_validation_correct, - title: "ID Token and Access Token Validation: ID Token is validated correctly", + title: 'ID Token and Access Token Validation: ID Token is validated correctly', description: %( I attest that the Data Holder validates the ID Token as per OIDC Core specifications, including: - Verifying the token's signature. @@ -38,7 +38,7 @@ class IDTokenValidationAttestationTest < Inferno::Test run do assert id_token_validation_correct == 'true', - 'ID Token validation is not implemented correctly as per OIDC Core specifications.' + 'ID Token validation is not implemented correctly as per OIDC Core specifications.' pass id_token_validation_note if id_token_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb index 4df3ec5..4181bdb 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb @@ -12,7 +12,7 @@ class TokenResponseValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@285' input :token_response_validation_correct, - title: "ID Token and Access Token Validation: Validates token response correctly", + title: 'ID Token and Access Token Validation: Validates token response correctly', description: %( I attest that the Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including: - Ensuring the presence of `access_token` and `token_type` parameters. @@ -39,7 +39,7 @@ class TokenResponseValidationAttestationTest < Inferno::Test run do assert token_response_validation_correct == 'true', - 'Token Response validation is not implemented correctly as per RFC 6749 and OIDC Core specifications.' + 'Token Response validation is not implemented correctly as per RFC 6749 and OIDC Core specifications.' pass token_response_validation_note if token_response_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb index ff12dd6..a53e720 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb @@ -14,4 +14,4 @@ class IdentityProviderInteractionAttestationGroup < Inferno::TestGroup test from: :udap_security_idp_authentication_request test from: :udap_security_idp_token_exchange end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb index 1abb417..f9907f2 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb @@ -8,7 +8,7 @@ class IdPAuthenticationRequestAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@245' input :idp_authentication_request_correct, - title: "Interaction with Identity Providers (IdPs): Performs Authentication request to the IdP’s authorization endpoint", + title: 'Interaction with Identity Providers (IdPs): Performs Authentication request to the IdP’s authorization endpoint', description: %( I attest that the Data Holder makes an authentication request to the IdP’s authorization endpoint when the IdP is trusted. ), @@ -33,7 +33,7 @@ class IdPAuthenticationRequestAttestationTest < Inferno::Test run do assert idp_authentication_request_correct == 'true', - 'Data Holder does not make an authentication request to the IdP’s authorization endpoint when the IdP is trusted.' + 'Data Holder does not make an authentication request to the IdP’s authorization endpoint when the IdP is trusted.' pass idp_authentication_request_note if idp_authentication_request_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb index d3429ff..b24f42f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb @@ -10,7 +10,7 @@ class IdPDynamicRegistrationAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@239' input :idp_dynamic_registration_correct, - title: "Interaction with Identity Providers (IdPs): Performs IdP dynamic registration if supported", + title: 'Interaction with Identity Providers (IdPs): Performs IdP dynamic registration if supported', description: %( I attest that the Data Holder registers as a client with the IdP if: - The IdP is trusted. @@ -37,7 +37,7 @@ class IdPDynamicRegistrationAttestationTest < Inferno::Test run do assert idp_dynamic_registration_correct == 'true', - 'Data Holder does not register as a client with the IdP when it is trusted and supports UDAP Dynamic Registration.' + 'Data Holder does not register as a client with the IdP when it is trusted and supports UDAP Dynamic Registration.' pass idp_dynamic_registration_note if idp_dynamic_registration_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb index 364f503..f6d2eff 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb @@ -10,7 +10,7 @@ class IdPMetadataValidationAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@238' input :idp_metadata_validation_correct, - title: "Interaction with Identity Providers (IdPs): Validates IdP metadata to determine trust", + title: 'Interaction with Identity Providers (IdPs): Validates IdP metadata to determine trust', description: %( I attest that the Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including: - Verifying the authenticity of the metadata. @@ -37,7 +37,7 @@ class IdPMetadataValidationAttestationTest < Inferno::Test run do assert idp_metadata_validation_correct == 'true', - 'Data Holder does not validate the IdP’s UDAP metadata to determine trustworthiness.' + 'Data Holder does not validate the IdP’s UDAP metadata to determine trustworthiness.' pass idp_metadata_validation_note if idp_metadata_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb index fa24c1d..bc9a70b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb @@ -8,7 +8,7 @@ class IdPTokenExchangeAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@279' input :idp_token_exchange_correct, - title: "Interaction with Identity Providers (IdPs): Exchanges code for tokens after successful authentication response", + title: 'Interaction with Identity Providers (IdPs): Exchanges code for tokens after successful authentication response', description: %( I attest that the Data Holder exchanges the authorization code for tokens after receiving a successful authentication response from the IdP. ), @@ -33,7 +33,7 @@ class IdPTokenExchangeAttestationTest < Inferno::Test run do assert idp_token_exchange_correct == 'true', - 'Data Holder does not exchange the authorization code for tokens after receiving a successful authentication response from the IdP.' + 'Data Holder does not exchange the authorization code for tokens after receiving a successful authentication response from the IdP.' pass idp_token_exchange_note if idp_token_exchange_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb index 83cfd38..99281fd 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb @@ -16,4 +16,4 @@ class MetadataServerCapabilitiesAttestationGroup < Inferno::TestGroup test from: :udap_security_metadata_representation test from: :udap_security_profiles_supported end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb index ef7450f..9245557 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb @@ -8,7 +8,7 @@ class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@32' input :udap_authorization_extensions_required_correct, - title: "UDAP Metadata and Server Capabilities: Includes required authorization extensions", + title: 'UDAP Metadata and Server Capabilities: Includes required authorization extensions', description: %( I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. ), @@ -33,7 +33,7 @@ class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test run do assert udap_authorization_extensions_required_correct == 'true', - 'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]` when required.' + 'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]` when required.' pass udap_authorization_extensions_required_note if udap_authorization_extensions_required_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb index d5d1cd3..8517611 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb @@ -8,7 +8,7 @@ class CommunityParameterSupportAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@62' input :community_parameter_support_correct, - title: "UDAP Metadata and Server Capabilities: Supports community parameter correctly", + title: 'UDAP Metadata and Server Capabilities: Supports community parameter correctly', description: %( I attest that the server supports the `community` parameter correctly by selecting a certificate intended for use within the identified trust community when generating the signed JWT for the `signed_metadata` element. ), @@ -33,7 +33,7 @@ class CommunityParameterSupportAttestationTest < Inferno::Test run do assert community_parameter_support_correct == 'true', - 'Server does not correctly support the `community` parameter when generating the signed JWT for the `signed_metadata` element.' + 'Server does not correctly support the `community` parameter when generating the signed JWT for the `signed_metadata` element.' pass community_parameter_support_note if community_parameter_support_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb index e64b646..c7e418f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb @@ -8,7 +8,7 @@ class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@19' input :udap_metadata_error_handling_correct, - title: "UDAP Metadata and Server Capabilities: Handles unsupported workflows correctly", + title: 'UDAP Metadata and Server Capabilities: Handles unsupported workflows correctly', description: %( I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response when no UDAP workflows are supported. ), @@ -33,7 +33,7 @@ class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test run do assert udap_metadata_error_handling_correct == 'true', - 'Server metadata endpoint did not correctly handle unsupported workflows by returning a `404 Not Found` response.' + 'Server metadata endpoint did not correctly handle unsupported workflows by returning a `404 Not Found` response.' pass udap_metadata_error_handling_note if udap_metadata_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb index cb19b5a..86a1f85 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb @@ -8,7 +8,7 @@ class UDAPMetadataRepresentationAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@18' input :udap_metadata_representation_correct, - title: "UDAP Metadata and Server Capabilities: Represents server capabilities correctly", + title: 'UDAP Metadata and Server Capabilities: Represents server capabilities correctly', description: %( I attest that the server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP workflows described in the guide. ), @@ -33,7 +33,7 @@ class UDAPMetadataRepresentationAttestationTest < Inferno::Test run do assert udap_metadata_representation_correct == 'true', - 'Server metadata does not correctly represent the server’s capabilities with respect to UDAP workflows.' + 'Server metadata does not correctly represent the server’s capabilities with respect to UDAP workflows.' pass udap_metadata_representation_note if udap_metadata_representation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb index 9e29add..b32a561 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb @@ -8,7 +8,7 @@ class UDAPProfilesSupportedAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@27' input :udap_profiles_supported_correct, - title: "UDAP Metadata and Server Capabilities: Includes supported profiles", + title: 'UDAP Metadata and Server Capabilities: Includes supported profiles', description: %( I attest that the server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the server supports the user authentication workflow described in Section 6. ), @@ -33,7 +33,7 @@ class UDAPProfilesSupportedAttestationTest < Inferno::Test run do assert udap_profiles_supported_correct == 'true', - 'Server metadata does not include the `udap_profiles_supported` element with `udap_to` for UDAP Tiered OAuth for User Authentication.' + 'Server metadata does not include the `udap_profiles_supported` element with `udap_to` for UDAP Tiered OAuth for User Authentication.' pass udap_profiles_supported_note if udap_profiles_supported_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb index 89dcbc8..0b1bf13 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb @@ -10,4 +10,4 @@ class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup test from: :oidc_auth_request_construction test from: :udap_security_access_token_request_validation end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb index 62a8d02..d8db54b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb @@ -17,7 +17,7 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@251' input :auth_request_construction_correct, - title: "OpenID Connect Authentication Requests: Complies with OpenID Connect requirements", + title: 'OpenID Connect Authentication Requests: Complies with OpenID Connect requirements', description: %( I attest that the Authorization Server complies with OpenID Connect requirements and ensures: - HTTP GET and POST methods are supported at the Authorization Endpoint. @@ -46,7 +46,7 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test run do assert auth_request_construction_correct == 'true', - 'Authentication Request Construction does not comply with OpenID Connect requirements.' + 'Authentication Request Construction does not comply with OpenID Connect requirements.' pass auth_request_construction_note if auth_request_construction_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb index 60f9d6b..b03a413 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb @@ -23,7 +23,7 @@ class AuthenticationRequestValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@269' input :auth_request_validation_correct, - title: "OpenID Connect Authentication Requests: Complies with OpenID Connect requirements in validation", + title: 'OpenID Connect Authentication Requests: Complies with OpenID Connect requirements in validation', description: %( I attest that the Authorization Server complies with OpenID Connect requirements and ensures: - Validation of all OAuth 2.0 parameters. @@ -53,7 +53,7 @@ class AuthenticationRequestValidationAttestationTest < Inferno::Test run do assert auth_request_validation_correct == 'true', - 'Authentication Request Validation does not comply with OpenID Connect requirements.' + 'Authentication Request Validation does not comply with OpenID Connect requirements.' pass auth_request_validation_note if auth_request_validation_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb index 91dda3c..bb2a2c5 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb @@ -10,4 +10,4 @@ class SecurityMeasuresAttestationGroup < Inferno::TestGroup test from: :udap_security_csrf_protection test from: :udap_security_unauthenticated_clients end -end \ No newline at end of file +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb index bb1c1b9..77beff4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -10,7 +10,7 @@ class CSRFProtectionAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278' input :csrf_protection_implemented, - title: "Security Measures: Implements CSRF protection for the authorization endpoint", + title: 'Security Measures: Implements CSRF protection for the authorization endpoint', description: %( I attest that the Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: - Use of anti-CSRF tokens. @@ -37,7 +37,7 @@ class CSRFProtectionAttestationTest < Inferno::Test run do assert csrf_protection_implemented == 'true', - 'Authorization Server does not implement CSRF protection for its authorization endpoint.' + 'Authorization Server does not implement CSRF protection for its authorization endpoint.' pass csrf_protection_note if csrf_protection_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb index d313b0b..263a4ad 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb @@ -10,7 +10,7 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@288' input :unauthenticated_client_security_measures, - title: "Security Measures: Considers security measures for unauthenticated clients", + title: 'Security Measures: Considers security measures for unauthenticated clients', description: %( I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: - Restricting access to sensitive endpoints. @@ -37,7 +37,7 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test run do assert unauthenticated_client_security_measures == 'true', - 'Authorization Server does not consider security implications when interacting with unauthenticated clients.' + 'Authorization Server does not consider security implications when interacting with unauthenticated clients.' pass unauthenticated_client_security_note if unauthenticated_client_security_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb index 3799eee..2877475 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb @@ -7,7 +7,6 @@ require_relative 'server/security_measures_group' require_relative 'server/identity_provider_interaction_group' - module UDAPSecurityTestKit class ServerAttestationGroup < Inferno::TestGroup id :udap_server_v100_visual_inspection_and_attestation @@ -26,4 +25,4 @@ class ServerAttestationGroup < Inferno::TestGroup group from: :udap_server_v100_security_measures_group group from: :udap_server_v100_identity_provider_interaction_group end -end \ No newline at end of file +end From feda649fc9f945363b63763230f8c2935b51c96b Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Thu, 10 Jul 2025 02:53:41 -0400 Subject: [PATCH 06/13] Line lengths --- .../b2b_authorization_extension_object_test.rb | 15 ++++++++++----- .../client_security_csrf_protection_test.rb | 15 ++++++++++----- .../client/idp_supports_required_scopes_test.rb | 6 ++++-- .../client/jti_reuse_prevention_test.rb | 6 ++++-- .../client/metadata_interpretation_test.rb | 6 ++++-- .../client/private_key_authentication_test.rb | 6 ++++-- .../scopes_identity_provider_interaction_test.rb | 15 ++++++++++----- .../software_statement_registration_test.rb | 13 +++++++++---- .../client/token_request_authentication_test.rb | 12 ++++++++---- .../trust_community_query_parameters_test.rb | 9 ++++++--- .../client/validation_confidentiality_test.rb | 12 ++++++++---- .../access_token_lifetime_test.rb | 6 ++++-- .../client_id_modification_test.rb | 6 ++++-- .../error_handling_group/invalid_id_token_test.rb | 9 ++++++--- .../invalid_redirection_uri_test.rb | 9 ++++++--- .../error_handling_group/state_mismatch_test.rb | 9 ++++++--- .../unauthenticated_user_test.rb | 6 ++++-- .../valid_state_error_response_test.rb | 9 ++++++--- .../access_token_validation_test.rb | 6 ++++-- .../token_response_validation_test.rb | 3 ++- .../idp_authentication_request_test.rb | 11 ++++++++--- .../idp_dynamic_registration_test.rb | 3 ++- .../idp_token_exchange_test.rb | 14 ++++++++++---- ...udap_authorization_extensions_required_test.rb | 9 ++++++--- .../udap_community_parameter_support_test.rb | 10 +++++++--- .../udap_metadata_endpoint_error_handling_test.rb | 9 ++++++--- .../udap_metadata_representation_test.rb | 6 ++++-- .../udap_profiles_supported_test.rb | 9 ++++++--- .../csrf_protection_test.rb | 3 ++- .../unauthenticated_client_security_test.rb | 9 ++++++--- 30 files changed, 176 insertions(+), 85 deletions(-) diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb index 4bf7d1c..dcf41a1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -22,7 +22,8 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test input :subject_name_compliance, title: 'Includes `subject_name` if known', description: %( - I attest that the client application includes the `subject_name` parameter if it is known for human or non-human requestors. + I attest that the client application includes the `subject_name` parameter if it is known for human + or non-human requestors. ), type: 'radio', default: 'false', @@ -46,7 +47,8 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test input :subject_id_compliance, title: 'Includes `subject_id` for human requestors when `subject_name` is present', description: %( - I attest that the client application includes the `subject_id` parameter for human requestors when the `subject_name` parameter is present. + I attest that the client application includes the `subject_id` parameter for human requestors when the + `subject_name` parameter is present. ), type: 'radio', default: 'false', @@ -70,7 +72,8 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test input :subject_id_npi_compliance, title: 'Uses NPI for `subject_id` in US Realm human requestors', description: %( - I attest that the client application uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm. + I attest that the client application uses the National Provider Identifier (NPI) as the value for + `subject_id` for human requestors in the US Realm. ), type: 'radio', default: 'false', @@ -94,7 +97,8 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test input :consent_reference_compliance, title: 'Ensures `consent_reference` URLs are resolvable', description: %( - I attest that the client application ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party and omits `consent_reference` if `consent_policy` is not present. + I attest that the client application ensures that the `consent_reference` parameter includes URLs that + are resolvable by the receiving party and omits `consent_reference` if `consent_policy` is not present. ), type: 'radio', default: 'false', @@ -129,7 +133,8 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test pass subject_id_npi_compliance_note if subject_id_npi_compliance_note.present? assert consent_reference_compliance == 'true', - 'Client application did not ensure `consent_reference` URLs were resolvable or omitted `consent_reference` when `consent_policy` was not present.' + 'Client application did not ensure `consent_reference` URLs were resolvable or omitted `consent_reference` + when `consent_policy` was not present.' pass consent_reference_compliance_note if consent_reference_compliance_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb index a8e73fe..717fc54 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb @@ -6,7 +6,8 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test Client applications complies with the requirements for Client Security and CSRF Protection: - Implements CSRF protection for its redirection URI. - Uses a binding value for CSRF protection that contains a non-guessable value. - - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by the same-origin policy. + - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by + the same-origin policy. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@275', 'hl7.fhir.us.udap-security_1.0.0@276', @@ -15,7 +16,8 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test input :csrf_protection_implementation, title: 'Implements CSRF protection for its redirection URI', description: %( - I attest that the client application implements CSRF protection for its redirection URI to prevent cross-site request forgery attacks. + I attest that the client application implements CSRF protection for its redirection URI to prevent + cross-site request forgery attacks. ), type: 'radio', default: 'false', @@ -39,7 +41,8 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test input :csrf_binding_value_compliance, title: 'Uses a non-guessable binding value for CSRF protection', description: %( - I attest that the client application uses a binding value for CSRF protection that contains a non-guessable value to ensure security. + I attest that the client application uses a binding value for CSRF protection that contains a non-guessable + value to ensure security. ), type: 'radio', default: 'false', @@ -63,7 +66,8 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test input :authenticated_state_protection, title: 'Ensures authenticated state is protected by same-origin policy', description: %( - I attest that the client application ensures the user-agent's authenticated state is stored in a location accessible only to the client and user-agent, protected by the same-origin policy. + I attest that the client application ensures the user-agent's authenticated state is stored in a location + accessible only to the client and user-agent, protected by the same-origin policy. ), type: 'radio', default: 'false', @@ -94,7 +98,8 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test pass csrf_binding_value_compliance_note if csrf_binding_value_compliance_note.present? assert authenticated_state_protection == 'true', - 'Client application did not ensure the user-agent\'s authenticated state is protected by the same-origin policy.' + 'Client application did not ensure the user-agent\'s authenticated state is protected by the same-origin + policy.' pass authenticated_state_protection_note if authenticated_state_protection_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb index f4210c8..37663de 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb @@ -3,14 +3,16 @@ class IdPSupportsRequiredScopesAttestationTest < Inferno::Test title 'Supports required scopes in IdPs' id :udap_security_idp_supports_scopes description %( - Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. + Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned + for the `scopes_supported` parameter. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235' input :idp_supports_required_scopes, title: 'Supports required scopes', description: %( - I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned for the `scopes_supported` parameter. + I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned + for the `scopes_supported` parameter. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb index 427efb5..a0499c1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb @@ -4,7 +4,8 @@ class JTIReusePreventionAttestationTest < Inferno::Test id :udap_security_jti_reuse_prevention description %( Client application prevents reuse of JTI values in authentication tokens by: - - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. + - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified + in the `exp` claim has passed. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159' @@ -12,7 +13,8 @@ class JTIReusePreventionAttestationTest < Inferno::Test title: 'Prevents reuse of JTI values in authentication tokens', description: %( I attest that the client application prevents reuse of JTI values in authentication tokens by: - - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified in the `exp` claim has passed. + - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified + in the `exp` claim has passed. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb index 8790e63..b5fdb21 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb @@ -4,7 +4,8 @@ class MetadataInterpretationAttestationTest < Inferno::Test id :udap_security_metadata_interpretation description %( Client application interprets metadata correctly by: - - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. + - Interpreting an empty array value in metadata as indicating that the corresponding capability is + NOT supported by the server. - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@20', @@ -14,7 +15,8 @@ class MetadataInterpretationAttestationTest < Inferno::Test title: 'Interprets metadata correctly', description: %( I attest that the client application interprets metadata correctly by: - - Interpreting an empty array value in metadata as indicating that the corresponding capability is NOT supported by the server. + - Interpreting an empty array value in metadata as indicating that the corresponding capability is + NOT supported by the server. - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. ), type: 'radio', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb index 1fbfe80..8a8068e 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb @@ -4,7 +4,8 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test id :udap_security_private_key_authentication description %( Client application uses private key authentication correctly by: - - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. + - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating + with a private key and Authentication Token. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@164', 'hl7.fhir.us.udap-security_1.0.0@224' @@ -13,7 +14,8 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test title: 'Uses private key authentication correctly', description: %( I attest that the client application uses private key authentication correctly by: - - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. + - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating + with a private key and Authentication Token. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb index 6444c12..bb3b4ea 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb @@ -4,7 +4,8 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test id :udap_security_scopes_identity_provider_interaction description %( Client applications complies with the requirements for Scopes and Identity Provider Interaction: - - Client application includes `udap` in the list of scopes provided in the `scope` query parameter to indicate the preferred Identity Provider. + - Client application includes `udap` in the list of scopes provided in the `scope` query + parameter to indicate the preferred Identity Provider. - Client application authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. - Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. ) @@ -15,7 +16,8 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test input :scope_includes_udap, title: 'Includes `udap` in the `scope` query parameter', description: %( - I attest that the client application includes `udap` in the list of scopes provided in the `scope` query parameter to indicate the preferred Identity Provider. + I attest that the client application includes `udap` in the list of scopes provided in the `scope` query + parameter to indicate the preferred Identity Provider. ), type: 'radio', default: 'false', @@ -39,7 +41,8 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test input :scope_contains_openid_udap, title: 'Ensures `scope` query parameter contains `openid` and `udap`', description: %( - I attest that the client application ensures the `scope` query parameter of the authentication request contains at least the values `openid` and `udap`. + I attest that the client application ensures the `scope` query parameter of the authentication request + contains at least the values `openid` and `udap`. ), type: 'radio', default: 'false', @@ -63,7 +66,8 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test input :idp_authentication_compliance, title: 'Authenticates user as per OIDC Core and UDAP Tiered OAuth specifications', description: %( - I attest that the Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. + I attest that the Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered + OAuth specifications. ), type: 'radio', default: 'false', @@ -86,7 +90,8 @@ class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test run do assert scope_includes_udap == 'true', - 'Client application did not include `udap` in the `scope` query parameter to indicate the preferred Identity Provider.' + 'Client application did not include `udap` in the `scope` query parameter to indicate the preferred + Identity Provider.' pass scope_includes_udap_note if scope_includes_udap_note.present? assert scope_contains_openid_udap == 'true', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb index eeb4eb3..fdedf73 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb @@ -4,8 +4,10 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test id :udap_security_software_statement_registration description %( Client complies with the requirements for Software Statement and Registration: - - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. - - Interprets a registration response containing an empty `grant_types` array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server. + - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT + before the time specified in the `exp` claim has passed. + - Interprets a registration response containing an empty `grant_types` array as a confirmation that the + registration for the `client_id` listed in the response has been cancelled by the Authorization Server. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@82', 'hl7.fhir.us.udap-security_1.0.0@123' @@ -13,7 +15,8 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test input :jti_reuse_compliance, title: 'Ensures that the `jti` claim in the JWT is not reused before the `exp` claim has passed', description: %( - I attest that the client application ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. + I attest that the client application ensures that the `jti` claim in the JWT is not reused in another + software statement or authentication JWT before the time specified in the `exp` claim has passed. ), type: 'radio', default: 'false', @@ -37,7 +40,9 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test input :grant_types_empty_array_compliance, title: 'Interprets empty `grant_types` array as registration cancellation', description: %( - I attest that the client application interprets a registration response containing an empty `grant_types` array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server. + I attest that the client application interprets a registration response containing an empty `grant_types` + array as a confirmation that the registration for the `client_id` listed in the response has been + cancelled by the Authorization Server. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb index cbcb7ab..5595964 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -4,8 +4,10 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test id :udap_security_token_request_authentication description %( Client application authenticates correctly when making token requests by: - - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. - - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. + - Including the `client_id` parameter in the token request if the client is not authenticating with the + authorization server. + - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client + is a Confidential Client. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144', 'openid.connect.core@280' @@ -14,8 +16,10 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test title: 'Authenticates correctly when making token requests', description: %( I attest that the client application authenticates correctly when making token requests by: - - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. - - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client is a Confidential Client. + - Including the `client_id` parameter in the token request if the client is not authenticating + with the authorization server. + - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client + is a Confidential Client. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb index 2a1c5df..c2ee37a 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb @@ -3,14 +3,16 @@ class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test title 'Complies with Trust Community and Query Parameter' id :udap_security_trust_community_query_parameters description %( - Client application ensures the value of the `community` query parameter is a valid URI as determined by the trust community. + Client application ensures the value of the `community` query parameter is a valid URI as + determined by the trust community. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@61' input :community_query_parameter_compliance, title: 'Complies with Trust Community and Query Parameter', description: %( - I attest that the client application ensures the value of the `community` query parameter is a valid URI as determined by the trust community. + I attest that the client application ensures the value of the `community` query parameter is a valid URI + as determined by the trust community. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test run do assert community_query_parameter_compliance == 'true', - 'Client application did not ensure the `community` query parameter value is a valid URI as determined by the trust community.' + 'Client application did not ensure the `community` query parameter value is a valid URI + as determined by the trust community.' pass community_query_parameter_compliance_note if community_query_parameter_compliance_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb index 704f94e..5a21b65 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb @@ -4,8 +4,10 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test id :udap_security_validation_confidentiality description %( Client applications complies with the requirements for Validation and Confidentiality: - - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to ensure it matches the value sent in the original request. - - Ensures confidentiality of client passwords and other client credentials by securely storing and transmitting them. + - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to + ensure it matches the value sent in the original request. + - Ensures confidentiality of client passwords and other client credentials by securely storing and + transmitting them. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@274', 'hl7.fhir.us.udap-security_1.0.0@286' @@ -13,7 +15,8 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test input :state_parameter_validation, title: 'Complies with Validation and Confidentiality', description: %( - I attest that the client application validates the `state` parameter returned by the Resource Holder in response to an authorization request to ensure it matches the value sent in the original request. + I attest that the client application validates the `state` parameter returned by the Resource Holder in + response to an authorization request to ensure it matches the value sent in the original request. ), type: 'radio', default: 'false', @@ -37,7 +40,8 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test input :client_credentials_confidentiality, title: 'Ensures confidentiality of client passwords and credentials', description: %( - I attest that the client application ensures confidentiality of client passwords and other client credentials by securely storing and transmitting them. + I attest that the client application ensures confidentiality of client passwords and other client + credentials by securely storing and transmitting them. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb index 6cee4e5..0d0a025 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb @@ -3,14 +3,16 @@ class AccessTokenLifetimeAttestationTest < Inferno::Test title 'Limits lifetime of access tokens to no longer than 60 minutes' id :udap_security_access_token_lifetime description %( - The Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful token requests. + The Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful + token requests. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@184' input :access_token_lifetime_correct, title: 'Authorization Code and Token Requests: Limits lifetime of access tokens to no longer than 60 minutes', description: %( - I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful token requests. + I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for + all successful token requests. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb index a23a388..fba7187 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb @@ -3,14 +3,16 @@ class ClientIDModificationAttestationTest < Inferno::Test title 'Handles client ID modification correctly' id :udap_security_client_id_modification description %( - Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` in response to a registration modification request. + Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` + in response to a registration modification request. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@121' input :client_id_modification_correct, title: 'Dynamic Client Registration: Handles client ID modification correctly', description: %( - I attest that the Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id` in response to a registration modification request. + I attest that the Authorization Server cancels the registration for the previous `client_id` if it + returns a different `client_id` in response to a registration modification request. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb index f6bc04d..40d1948 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb @@ -3,14 +3,16 @@ class InvalidIDTokenErrorAttestationTest < Inferno::Test title 'Handles invalid ID token error correctly' id :udap_security_invalid_id_token_error description %( - Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP does not return an ID Token or validation fails. + Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP + does not return an ID Token or validation fails. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@291' input :invalid_id_token_error_handling_correct, title: 'Error Handling: Handles invalid ID token error correctly', description: %( - I attest that the Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP does not return an ID Token or validation fails. + I attest that the Data Holder either returns an `invalid_idp` error code or attempts alternate + authentication when the IdP does not return an ID Token or validation fails. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class InvalidIDTokenErrorAttestationTest < Inferno::Test run do assert invalid_id_token_error_handling_correct == 'true', - 'Data Holder does not return an `invalid_idp` error code or attempt alternate authentication when the IdP does not return an ID Token or validation fails.' + 'Data Holder does not return an `invalid_idp` error code or attempt alternate authentication + when the IdP does not return an ID Token or validation fails.' pass invalid_id_token_error_handling_note if invalid_id_token_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb index 20987a4..9d3c608 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb @@ -3,14 +3,16 @@ class InvalidRedirectionURIAttestationTest < Inferno::Test title 'Handles invalid redirection URI correctly' id :udap_security_invalid_redirection_uri description %( - The Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request fails due to a missing or invalid redirection URI. + The Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request + fails due to a missing or invalid redirection URI. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@242' input :invalid_redirection_uri_handling_correct, title: 'Error Handling: Handles Invalid redirection URI correctly', description: %( - I attest that the Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request fails due to a missing or invalid redirection URI. + I attest that the Authorization Server does NOT redirect the user-agent to an invalid redirection + URI when the request fails due to a missing or invalid redirection URI. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class InvalidRedirectionURIAttestationTest < Inferno::Test run do assert invalid_redirection_uri_handling_correct == 'true', - 'Authorization Server redirects the user-agent to an invalid redirection URI when the request fails due to a missing or invalid URI.' + 'Authorization Server redirects the user-agent to an invalid redirection URI when the + request fails due to a missing or invalid URI.' pass invalid_redirection_uri_handling_note if invalid_redirection_uri_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb index 83fcef7..c5b7b3f 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb @@ -3,14 +3,16 @@ class StateMismatchErrorAttestationTest < Inferno::Test title 'Handles state mismatch error correctly' id :udap_security_state_mismatch_error description %( - If the `state` parameter does NOT match, the Resource Holder MUST terminate the workflow and redirect with a `server_error`. + If the `state` parameter does NOT match, the Resource Holder MUST terminate the workflow and redirect with a + `server_error`. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@271' input :state_mismatch_error_handling_correct, title: 'Error Handling: State mismatch error is handled correctly', description: %( - I attest that the Resource Holder terminates the workflow and redirects with a `server_error` when the `state` parameter does NOT match. + I attest that the Resource Holder terminates the workflow and redirects with a `server_error` when the + `state` parameter does NOT match. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class StateMismatchErrorAttestationTest < Inferno::Test run do assert state_mismatch_error_handling_correct == 'true', - 'Resource Holder does not terminate the workflow or redirect with a `server_error` when the `state` parameter does NOT match.' + 'Resource Holder does not terminate the workflow or redirect with a `server_error` when the + `state` parameter does NOT match.' pass state_mismatch_error_handling_note if state_mismatch_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb index 1a153e3..b9e65fb 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb @@ -10,7 +10,8 @@ class UnauthenticatedUserErrorAttestationTest < Inferno::Test input :unauthenticated_user_error_handling_correct, title: 'Error Handling: Handles unauthenticated user error correctly', description: %( - I attest that the Data Holder returns an `access_denied` error response when it cannot resolve the authenticated user. + I attest that the Data Holder returns an `access_denied` error response when it cannot resolve + the authenticated user. ), type: 'radio', default: 'false', @@ -33,7 +34,8 @@ class UnauthenticatedUserErrorAttestationTest < Inferno::Test run do assert unauthenticated_user_error_handling_correct == 'true', - 'Data Holder does not return an `access_denied` error response when it cannot resolve the authenticated user.' + 'Data Holder does not return an `access_denied` error response when it cannot resolve the + authenticated user.' pass unauthenticated_user_error_handling_note if unauthenticated_user_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb index eacda3f..c16d4a6 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb @@ -3,14 +3,16 @@ class ValidStateErrorResponseAttestationTest < Inferno::Test title 'Handles valid state error correctly' id :udap_security_valid_state_error_response description %( - Resource Holder redirects with an `access_denied` error code when the `state` value is valid on an error response. + Resource Holder redirects with an `access_denied` error code when the `state` value is valid + on an error response. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@273' input :valid_state_error_response_handling_correct, title: 'Error Handling: Handles valid state error correctly', description: %( - I attest that the Resource Holder redirects with an `access_denied` error code when the `state` value is valid on an error response. + I attest that the Resource Holder redirects with an `access_denied` error code when the + `state` value is valid on an error response. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class ValidStateErrorResponseAttestationTest < Inferno::Test run do assert valid_state_error_response_handling_correct == 'true', - 'Resource Holder does not redirect with an `access_denied` error code when the `state` value is valid on an error response.' + 'Resource Holder does not redirect with an `access_denied` error code when the `state` + value is valid on an error response.' pass valid_state_error_response_handling_note if valid_state_error_response_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb index 0fc12dd..6b4328b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb @@ -3,7 +3,8 @@ class AccessTokenValidationAttestationTest < Inferno::Test title 'Validates access token correctly' id :udap_security_access_token_validation description %( - Data Holder validates the Access Token as per the Access Token validation rules, including: + Data Holder validates the Access Token as per the Access Token validation rules, + including: - Verifying the token's integrity. - Checking claims such as `exp` and other relevant attributes. ) @@ -13,7 +14,8 @@ class AccessTokenValidationAttestationTest < Inferno::Test input :access_token_validation_correct, title: 'ID Token and Access Token Validation: Validates access token correctly', description: %( - I attest that the Data Holder validates the Access Token as per the Access Token validation rules, including: + I attest that the Data Holder validates the Access Token as per the Access Token validation rules, + including: - Verifying the token's integrity. - Checking claims such as `exp` and other relevant attributes. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb index 4181bdb..3af50b9 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb @@ -14,7 +14,8 @@ class TokenResponseValidationAttestationTest < Inferno::Test input :token_response_validation_correct, title: 'ID Token and Access Token Validation: Validates token response correctly', description: %( - I attest that the Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including: + I attest that the Client validates the Token Response as per RFC 6749 and OIDC Core specifications, + including: - Ensuring the presence of `access_token` and `token_type` parameters. - Validating the response structure and data integrity. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb index f9907f2..3ff1c1b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb @@ -8,9 +8,13 @@ class IdPAuthenticationRequestAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@245' input :idp_authentication_request_correct, - title: 'Interaction with Identity Providers (IdPs): Performs Authentication request to the IdP’s authorization endpoint', + title: %( + Interaction with Identity Providers (IdPs): Performs Authentication request to the IdP’s authorization + endpoint + ), description: %( - I attest that the Data Holder makes an authentication request to the IdP’s authorization endpoint when the IdP is trusted. + I attest that the Data Holder makes an authentication request to the IdP’s authorization endpoint when the + IdP is trusted. ), type: 'radio', default: 'false', @@ -33,7 +37,8 @@ class IdPAuthenticationRequestAttestationTest < Inferno::Test run do assert idp_authentication_request_correct == 'true', - 'Data Holder does not make an authentication request to the IdP’s authorization endpoint when the IdP is trusted.' + 'Data Holder does not make an authentication request to the IdP’s authorization endpoint when the IdP + is trusted.' pass idp_authentication_request_note if idp_authentication_request_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb index b24f42f..86a618b 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb @@ -37,7 +37,8 @@ class IdPDynamicRegistrationAttestationTest < Inferno::Test run do assert idp_dynamic_registration_correct == 'true', - 'Data Holder does not register as a client with the IdP when it is trusted and supports UDAP Dynamic Registration.' + 'Data Holder does not register as a client with the IdP when it is trusted and supports + UDAP Dynamic Registration.' pass idp_dynamic_registration_note if idp_dynamic_registration_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb index bc9a70b..291e04c 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb @@ -3,14 +3,19 @@ class IdPTokenExchangeAttestationTest < Inferno::Test title 'Exchanges code for tokens after successful authentication response' id :udap_security_idp_token_exchange description %( - Data Holder exchanges the authorization code for tokens after receiving a successful authentication response from the IdP. + Data Holder exchanges the authorization code for tokens after receiving a successful + authentication response from the IdP. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@279' input :idp_token_exchange_correct, - title: 'Interaction with Identity Providers (IdPs): Exchanges code for tokens after successful authentication response', + title: %( + 'Interaction with Identity Providers (IdPs): Exchanges code for tokens after successful + authentication response' + ), description: %( - I attest that the Data Holder exchanges the authorization code for tokens after receiving a successful authentication response from the IdP. + I attest that the Data Holder exchanges the authorization code for tokens after receiving a + successful authentication response from the IdP. ), type: 'radio', default: 'false', @@ -33,7 +38,8 @@ class IdPTokenExchangeAttestationTest < Inferno::Test run do assert idp_token_exchange_correct == 'true', - 'Data Holder does not exchange the authorization code for tokens after receiving a successful authentication response from the IdP.' + 'Data Holder does not exchange the authorization code for tokens after receiving a successful + authentication response from the IdP.' pass idp_token_exchange_note if idp_token_exchange_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb index 9245557..516f10a 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb @@ -3,14 +3,16 @@ class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test title 'Includes required authorization extensions' id :udap_security_authorization_extensions_required description %( - Server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. + Server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` + if the Authorization Server requires the B2B Authorization Extension Object. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@32' input :udap_authorization_extensions_required_correct, title: 'UDAP Metadata and Server Capabilities: Includes required authorization extensions', description: %( - I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. + I attest that the server's UDAP metadata includes the `udap_authorization_extensions_required` list + with `["hl7-b2b"]` if the Authorization Server requires the B2B Authorization Extension Object. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class UDAPAuthorizationExtensionsRequiredAttestationTest < Inferno::Test run do assert udap_authorization_extensions_required_correct == 'true', - 'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]` when required.' + 'Server metadata does not include the `udap_authorization_extensions_required` list with `["hl7-b2b"]` + when required.' pass udap_authorization_extensions_required_note if udap_authorization_extensions_required_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb index 8517611..2b6d3fa 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb @@ -3,14 +3,17 @@ class CommunityParameterSupportAttestationTest < Inferno::Test title 'Supports community parameter correctly' id :udap_security_community_parameter_support description %( - Server supports the `community` parameter correctly by selecting a certificate intended for use within the identified trust community when generating the signed JWT for the `signed_metadata` element. + Server supports the `community` parameter correctly by selecting a certificate intended for use within the + identified trust community when generating the signed JWT for the `signed_metadata` element. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@62' input :community_parameter_support_correct, title: 'UDAP Metadata and Server Capabilities: Supports community parameter correctly', description: %( - I attest that the server supports the `community` parameter correctly by selecting a certificate intended for use within the identified trust community when generating the signed JWT for the `signed_metadata` element. + I attest that the server supports the `community` parameter correctly by selecting a certificate intended + for use within the identified trust community when generating the signed JWT for the `signed_metadata` + element. ), type: 'radio', default: 'false', @@ -33,7 +36,8 @@ class CommunityParameterSupportAttestationTest < Inferno::Test run do assert community_parameter_support_correct == 'true', - 'Server does not correctly support the `community` parameter when generating the signed JWT for the `signed_metadata` element.' + 'Server does not correctly support the `community` parameter when generating the signed JWT for the + `signed_metadata` element.' pass community_parameter_support_note if community_parameter_support_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb index c7e418f..c80a332 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb @@ -3,14 +3,16 @@ class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test title 'Handles unsupported workflows correctly' id :udap_security_metadata_error_handling description %( - Server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response when no UDAP workflows are supported. + Server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response + when no UDAP workflows are supported. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@19' input :udap_metadata_error_handling_correct, title: 'UDAP Metadata and Server Capabilities: Handles unsupported workflows correctly', description: %( - I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a `404 Not Found` response when no UDAP workflows are supported. + I attest that the server's UDAP metadata endpoint correctly handles unsupported workflows by returning a + `404 Not Found` response when no UDAP workflows are supported. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class UDAPMetadataEndpointErrorHandlingAttestationTest < Inferno::Test run do assert udap_metadata_error_handling_correct == 'true', - 'Server metadata endpoint did not correctly handle unsupported workflows by returning a `404 Not Found` response.' + 'Server metadata endpoint did not correctly handle unsupported workflows by returning a + `404 Not Found` response.' pass udap_metadata_error_handling_note if udap_metadata_error_handling_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb index 86a1f85..f2709dc 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb @@ -3,14 +3,16 @@ class UDAPMetadataRepresentationAttestationTest < Inferno::Test title 'Represents server capabilities correctly' id :udap_security_metadata_representation description %( - Server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP workflows described in the guide. + Server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP + workflows described in the guide. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@18' input :udap_metadata_representation_correct, title: 'UDAP Metadata and Server Capabilities: Represents server capabilities correctly', description: %( - I attest that the server's UDAP metadata endpoint correctly represents the server’s capabilities with respect to the UDAP workflows described in the guide. + I attest that the server's UDAP metadata endpoint correctly represents the server’s capabilities with + respect to the UDAP workflows described in the guide. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb index b32a561..a4d70f6 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb @@ -3,14 +3,16 @@ class UDAPProfilesSupportedAttestationTest < Inferno::Test title 'Includes supported profiles' id :udap_security_profiles_supported description %( - Server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the server supports the user authentication workflow described in Section 6. + Server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the + server supports the user authentication workflow described in Section 6. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@27' input :udap_profiles_supported_correct, title: 'UDAP Metadata and Server Capabilities: Includes supported profiles', description: %( - I attest that the server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` if the server supports the user authentication workflow described in Section 6. + I attest that the server's UDAP metadata includes the `udap_profiles_supported` element with `udap_to` + if the server supports the user authentication workflow described in Section 6. ), type: 'radio', default: 'false', @@ -33,7 +35,8 @@ class UDAPProfilesSupportedAttestationTest < Inferno::Test run do assert udap_profiles_supported_correct == 'true', - 'Server metadata does not include the `udap_profiles_supported` element with `udap_to` for UDAP Tiered OAuth for User Authentication.' + 'Server metadata does not include the `udap_profiles_supported` element with `udap_to` for UDAP + Tiered OAuth for User Authentication.' pass udap_profiles_supported_note if udap_profiles_supported_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb index 77beff4..cb43929 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -12,7 +12,8 @@ class CSRFProtectionAttestationTest < Inferno::Test input :csrf_protection_implemented, title: 'Security Measures: Implements CSRF protection for the authorization endpoint', description: %( - I attest that the Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: + I attest that the Authorization Server implements CSRF protection for its authorization endpoint, + including mechanisms such as: - Use of anti-CSRF tokens. - Validation of `state` parameter to prevent cross-site request forgery. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb index 263a4ad..43f2af8 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb @@ -3,7 +3,8 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test title 'Considers security measures for unauthenticated clients' id :udap_security_unauthenticated_clients description %( - I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: + I attest that the Authorization Server considers security implications when interacting with unauthenticated + clients, including: - Restricting access to sensitive endpoints. - Implementing rate limiting or other protective measures. ) @@ -12,7 +13,8 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test input :unauthenticated_client_security_measures, title: 'Security Measures: Considers security measures for unauthenticated clients', description: %( - I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: + I attest that the Authorization Server considers security implications when interacting with unauthenticated + clients, including: - Restricting access to sensitive endpoints. - Implementing rate limiting or other protective measures. ), @@ -37,7 +39,8 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test run do assert unauthenticated_client_security_measures == 'true', - 'Authorization Server does not consider security implications when interacting with unauthenticated clients.' + 'Authorization Server does not consider security implications when interacting with unauthenticated + clients.' pass unauthenticated_client_security_note if unauthenticated_client_security_note.present? end end From 4a3002f4074305ec8bdd4f071adb65095c4fe844 Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Thu, 10 Jul 2025 09:18:44 -0400 Subject: [PATCH 07/13] Fix requirements --- ..._security_client_requirements_coverage.csv | 60 +++++++------- .../udap_security_requirements_coverage.csv | 82 +++++++++---------- .../token_request_authentication_test.rb | 2 +- 3 files changed, 72 insertions(+), 72 deletions(-) diff --git a/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv index eebe3cc..6ce183a 100644 --- a/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv +++ b/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv @@ -8,10 +8,10 @@ hl7.fhir.us.udap-security_1.0.0,6,https://hl7.org/fhir/us/udap-security/STU1/#si hl7.fhir.us.udap-security_1.0.0,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`. An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,16,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"If a server returns a `404 Not Found` response to a `GET` request to the UDAP metadata endpoint, the client application SHOULD conclude that the server does not support UDAP workflows.",SHOULD,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation +hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation hl7.fhir.us.udap-security_1.0.0,60,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[A] client application MAY add the optional query parameter `community` to the metadata request URL described in [Section 2.1](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints) to indicate that it trusts certificates issued by the community identified by the parameter value.,MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_trust_community_query_parameters hl7.fhir.us.udap-security_1.0.0,66,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,67,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.,SHALL,Client,,,,"3.02, 3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,69,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a `client_id`,MAY,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" @@ -27,7 +27,7 @@ hl7.fhir.us.udap-security_1.0.0,78,https://hl7.org/fhir/us/udap-security/STU1/re hl7.fhir.us.udap-security_1.0.0,79,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `exp`... SHALL be no more than 5 minutes after the value of the `iat` claim.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,80,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `iat` [is] `required`[and is the] Issued time integer for this software statement, expressed in seconds since the ""Epoch""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,81,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` [is] `required`[and is a] nonce string value that uniquely identifies this software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" -hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration hl7.fhir.us.udap-security_1.0.0,83,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `client_name` [is] `required`[and is a] string containing the human readable name of the client application,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,84,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be present if grant_types includes `authorization_code`,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification hl7.fhir.us.udap-security_1.0.0,85,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be absent [if the `grant_types` claim does not include `authorization_code`].,SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification @@ -48,20 +48,20 @@ hl7.fhir.us.udap-security_1.0.0,101,https://hl7.org/fhir/us/udap-security/STU1/r hl7.fhir.us.udap-security_1.0.0,102,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL ... uniquely identify a single client app operator and application over time.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,103,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the `aud` claim SHALL list the URL of the OAuth Server’s registration endpoint",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,104,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, … the lifetime of the software statement (`exp` minus `iat`) SHALL be 5 minutes.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" -hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration hl7.fhir.us.udap-security_1.0.0,126,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#consumer-facing,"Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow,",SHALL,Client,,,,3,udap_security_client-udap_client_access_ac hl7.fhir.us.udap-security_1.0.0,127,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,"Client applications SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification hl7.fhir.us.udap-security_1.0.0,128,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,"[When] The client constructs the request URI … the … parameter.. `response_type` [is] `required`[and the] value MUST be set to ""code""",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification hl7.fhir.us.udap-security_1.0.0,129,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,[When] The client constructs the request URI … the … parameter.. `client_id` [is] `required`… [and is t]he client identifier as described in [Section 2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2).,SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification hl7.fhir.us.udap-security_1.0.0,130,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope.,MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,132,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,[S]ervers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,140,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token,"Client applications SHALL exchange authorization codes for access tokens as per [Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) of RFC 6749,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,141,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When] the client makes a request to the token endpoint… the `grant_type` [parameter is] `REQUIRED`[and the] Value MUST be set to ""authorization_code""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,142,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `code` [parameter is] `REQUIRED`[and is] the authorization code received from the authorization server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,143,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When t]he client makes a request to the token endpoint… the `redirect_uri` [parameter is] `REQUIRED`...if the ""redirect_uri"" parameter was included in the authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their values MUST be identical.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication hl7.fhir.us.udap-security_1.0.0,145,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,151,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,152,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification @@ -71,12 +71,12 @@ hl7.fhir.us.udap-security_1.0.0,155,https://hl7.org/fhir/us/udap-security/STU1/c hl7.fhir.us.udap-security_1.0.0,156,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `exp` parameter [is] `required` [and is the e]xpiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC)",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,157,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `iat` parameter [is] `required` [and is the i]ssued time integer for this authentication JWT, expressed in seconds since the ""Epoch""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,158,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `jti` parameter [is] `required` [and is a] nonce string value that uniquely identifies this authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.03,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_jti_reuse_prevention hl7.fhir.us.udap-security_1.0.0,160,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of `exp` minus the value of `iat` SHALL NOT exceed 300 seconds.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,161,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,The Authentication Token SHALL be signed and serialized using the JSON compact serialization method..,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,163,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client applications authenticating with a private key and Authentication Token as per Section [4.2.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the [token request]... parameters as per Section 5.1 of UDAP JWT-Based Client Authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication hl7.fhir.us.udap-security_1.0.0,165,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `grant_type` [parameter is] `required`[and SHALL contain the f]ixed value: `authorization_code`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,166,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `code` [parameter is] `required`[and SHALL contain the] code that the app received from the Authorization Server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,167,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"[When authenticating with a private key and Authentication Token] the `redirect_uri` [parameter is] `conditional`… SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification @@ -93,7 +93,7 @@ hl7.fhir.us.udap-security_1.0.0,181,https://www.udap.org/udap-jwt-client-auth.ht hl7.fhir.us.udap-security_1.0.0,185,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,B2B client applications registered to use the authorization code grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow described in [Section 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) of RFC 6749,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,186,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,Client applications registered to use the client credentials grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 client credentials grant flow described in [Section 4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) of RFC 6749,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage hl7.fhir.us.udap-security_1.0.0,192,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,"The client SHALL use its private key to sign an Authentication Token..., and include this JWT in the `client_assertion` parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in [Section 5.2.2](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request) of this guide",SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,193,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `sub` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,194,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `aud` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" @@ -103,11 +103,11 @@ hl7.fhir.us.udap-security_1.0.0,197,https://hl7.org/fhir/us/udap-security/STU1/b hl7.fhir.us.udap-security_1.0.0,198,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and] The HL7 B2B Authorization Extension Object ...is required for B2B client apps using the client_credentials flow,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,202,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `version` [is] `required` [with a] String with fixed value: ""1""",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,"","" hl7.fhir.us.udap-security_1.0.0,210,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` [and is a] string containing the human readable name of the organizational requestor. If a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,211,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` … if a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"","" @@ -117,12 +117,12 @@ hl7.fhir.us.udap-security_1.0.0,214,https://hl7.org/fhir/us/udap-security/STU1/b hl7.fhir.us.udap-security_1.0.0,215,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `purpose_of_use` [is] `required`.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,217,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_policy` [is] `optional`[and SHALL contain] an array of one or more strings, each containing a URI identifiying a privacy consent directive policy or other policy consistent with the value of the purpose_of_use parameter.",MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,218,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and SHALL contain a]n array of one or more strings, each containing an absolute URL consistent with a [literal reference](https://www.hl7.org/fhir/R4/references.html#literal) to a FHIR [Consent](https://www.hl7.org/fhir/R4/consent.html) or [DocumentReference](https://www.hl7.org/fhir/R4/documentreference.html) resource containing or referencing a privacy consent directive relevant to a purpose identified by the `purpose_of_use` parameter and the policy or policies identified by the `consent_policy` parameter.",MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,"","" -hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,"","" -hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,222,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request,Client applications using the authorization code grant and authenticating with a private key and Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,223,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.2 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication hl7.fhir.us.udap-security_1.0.0,225,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `grant_type` parameter [is] `required` [and SHALL contain f]ixed value: `client_credentials`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,226,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion_type` parameter [is] `required` [and SHALL contain f]ixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,227,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion` parameter [is] `required` [and SHALL contain] the signed Authentication Token JWT,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification @@ -131,16 +131,16 @@ hl7.fhir.us.udap-security_1.0.0,231,https://hl7.org/fhir/us/udap-security/STU1/b hl7.fhir.us.udap-security_1.0.0,232,https://datatracker.ietf.org/doc/html/rfc6749#section-6,"[When requesting a refresh token] the `grant_type` [parameter is] REQUIRED [and the ] Value MUST be set to ""refresh_token""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,233,https://datatracker.ietf.org/doc/html/rfc6749#section-7,[When requesting a refresh token] the `refresh_token` [parameter is] REQUIRED [and is ] The refresh token issued to the client,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,234,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,"Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests [i.e., include the client_assertion_type and client_assertion fields as in the token request]",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,5.02,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_supports_scopes +hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,"5.05, 5.11","udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp, udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_scopes_identity_provider_interaction" +hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp hl7.fhir.us.udap-security_1.0.0,244,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[When authenticating the user a] client app that receives an error code of `invalid_idp` MAY attempt to obtain authorization again by specifying a different IdP base URL in the `idp` authorization request parameter, or by making a new authorization request without using the Tiered OAuth workflow.",MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,"","" +hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_scopes_identity_provider_interaction +hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_scopes_identity_provider_interaction +hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality +hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality diff --git a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv index 37e7c96..1d69de6 100644 --- a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +++ b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv @@ -15,8 +15,8 @@ hl7.fhir.us.udap-security_1.0.0,13,https://hl7.org/fhir/us/udap-security/STU1/di hl7.fhir.us.udap-security_1.0.0,14,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers **SHALL** allow access to the following metadata URL ... without requiring client authentication, where {baseURL} represents the base FHIR URL for the FHIR server: {baseURL}/.well-known/udap",SHALL,Server,,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint" hl7.fhir.us.udap-security_1.0.0,15,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,UDAP metadata **SHALL** be structured as a JSON object as per section 1 of [UDAP Server Metadata](https://www.udap.org/udap-server-metadata-stu1.html#section-1) and discussed further in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata).,SHALL,Server,,,,"1.1, 2.1","udap_security-udap_authorization_code_group-auth_code_discovery_group, udap_security-udap_client_credentials_group-auth_code_discovery_group" hl7.fhir.us.udap-security_1.0.0,17,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers conforming to this guide are generally expected, but not required, to also support the HL7 SMART App Launch Framework, which defines additional discovery and metadata requirements.",SHOULD,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,18,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,The metadata returned from the UDAP metadata endpoint … SHALL represent the server’s capabilities with respect to the UDAP workflows described in this guide.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,19,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,18,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,The metadata returned from the UDAP metadata endpoint … SHALL represent the server’s capabilities with respect to the UDAP workflows described in this guide.,SHALL,Server,,,,3.1.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_metadata_representation +hl7.fhir.us.udap-security_1.0.0,19,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request.",SHALL,Server,,,,3.1.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_metadata_error_handling hl7.fhir.us.udap-security_1.0.0,22,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_versions_supported` [element is] required [and SHALL be] A fixed array with one string element: [""1""]",SHALL,Server,,,,"1.1.02, 2.1.02","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_versions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_versions_supported_field" hl7.fhir.us.udap-security_1.0.0,23,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_profiles_supported` [element is] required [and SHALL contain a]n array of two or more strings identifying the core UDAP profiles supported by the Authorization Server.",SHALL,Server,,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field" @@ -26,13 +26,13 @@ hl7.fhir.us.udap-security_1.0.0,26,https://hl7.org/fhir/us/udap-security/STU1/di If the `grant_types_supported` parameter includes the string `""client_credentials""`, then the array SHALL also include: `""udap_authz""` for UDAP Client Authorization Grants using JSON Web Tokens to indicate support for Authorization Extension Objects.",SHALL,Server,true,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field" hl7.fhir.us.udap-security_1.0.0,27,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata] `udap_profiles_supported` [element]... -If the server supports the user authentication workflow described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html#tiered-oauth-for-user-authentication), then the array SHALL also include: `""udap_to""` for UDAP Tiered OAuth for User Authentication.",SHALL,Server,true,,,"","" +If the server supports the user authentication workflow described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html#tiered-oauth-for-user-authentication), then the array SHALL also include: `""udap_to""` for UDAP Tiered OAuth for User Authentication.",SHALL,Server,true,,,3.1.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_profiles_supported hl7.fhir.us.udap-security_1.0.0,28,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_supported` [element is] required [and SHALL contain a]n array of zero or more recognized key names for Authorization Extension Objects supported by the Authorization Server.",SHALL,Server,,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field" hl7.fhir.us.udap-security_1.0.0,29,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server supports the B2B Authorization Extension Object defined in Section [5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object), then the ... `[""hl7-b2b""]` key name SHALL be included [in the `udap_authorization_extensions_supported` element of the server's UDAP metadata].",SHALL,Server,,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field" hl7.fhir.us.udap-security_1.0.0,30,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element SHALL contain when populated a]n array of zero or more recognized key names for Authorization Extension Objects required by the Authorization Server in every token request.",SHALL,Server,,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field" hl7.fhir.us.udap-security_1.0.0,31,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element] SHALL be present if the value of the `udap_authorization_extensions_supported` parameter is not an empty array.",SHALL,Server,,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field" hl7.fhir.us.udap-security_1.0.0,32,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server requires the B2B Authorization Extension Object defined in [Section 5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object) in every token request, then the following key name SHALL be included [in the `udap_authorization_extensions_required`list]: -`[""hl7-b2b""]`",SHALL,Server,,,,"","" +`[""hl7-b2b""]`",SHALL,Server,,,,3.1.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_authorization_extensions_required hl7.fhir.us.udap-security_1.0.0,33,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_supported` [element is] required [and SHALL contain a]n array of zero or more certification URIs supported by the Authorization Server, e.g.: `[""https://www.example.com/udap/profiles/example-certification""]`",SHALL,Server,,,,"1.1.07, 2.1.07","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_supported_field" hl7.fhir.us.udap-security_1.0.0,34,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` [element SHALL contain when populated a]n array of zero or more certification URIs required by the Authorization Server.",SHALL,Server,,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field" hl7.fhir.us.udap-security_1.0.0,35,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` … parameter SHALL be present if the value of the `udap_certifications_supported` parameter is not an empty array.",SHALL,Server,,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field" @@ -61,7 +61,7 @@ hl7.fhir.us.udap-security_1.0.0,56,https://hl7.org/fhir/us/udap-security/STU1/di hl7.fhir.us.udap-security_1.0.0,57,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[In the JWT in the signed_metadata element SHALL contain, the claim] `authorization_endpoint`[is] REQUIRED if the authorization_endpoint parameter is included in the unsigned metadata",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" hl7.fhir.us.udap-security_1.0.0,58,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `token_endpoint`[which is a] string containing the absolute URL of the server's token endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" hl7.fhir.us.udap-security_1.0.0,59,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `registration_endpoint`[which is a] string containing the absolute URL of the server's registration endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" -hl7.fhir.us.udap-security_1.0.0,62,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports [the `community`] parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community, if it has been issued such a certificate, and use that certificate when generating the signed JWT returned for the `signed_metadata` element.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,62,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports [the `community`] parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community, if it has been issued such a certificate, and use that certificate when generating the signed JWT returned for the `signed_metadata` element.",SHALL,Server,,,,3.1.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_community_parameter_support hl7.fhir.us.udap-security_1.0.0,63,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports different UDAP capabilities for different communities, it MAY also return different values for other metadata elements described in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata) as appropriate for the identified community.",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,64,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, it MAY return a `404 Not Found` response to the metadata request to indicate that no UDAP workflows are supported by server in the context of that community, or it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,65,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, .. it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,"","" @@ -70,57 +70,57 @@ hl7.fhir.us.udap-security_1.0.0,89,https://hl7.org/fhir/us/udap-security/STU1/re hl7.fhir.us.udap-security_1.0.0,98,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The Authorization Server MAY consider this list [of scopes provided in the registration software statement] when deciding the scopes that it will allow the application to subsequently request.,MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,105,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,The Authorization Server SHALL validate the registration request as per [Section 4](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4) of UDAP Dynamic Client Registration.,SHALL,Server,,,,"1.2, 2.2","udap_security-udap_authorization_code_group-auth_code_dcr_group, udap_security-udap_client_credentials_group-client_creds_dcr_group" hl7.fhir.us.udap-security_1.0.0,106,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he iss value MUST match a uriName entry in the Subject Alternative Names extension of the Client’s certificate.,SHALL,Server,,,,"1.2.01, 2.2.01","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents" -hl7.fhir.us.udap-security_1.0.0,107,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he sub value MUST match the iss value,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,108,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he aud value MUST contain the Authorization Server’s registration endpoint URL,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,107,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he sub value MUST match the iss value,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation +hl7.fhir.us.udap-security_1.0.0,108,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he aud value MUST contain the Authorization Server’s registration endpoint URL,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation +hl7.fhir.us.udap-security_1.0.0,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation hl7.fhir.us.udap-security_1.0.0,110,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"If a new registration is successful, the Authorization Server SHALL return a registration response with a `201 Created` HTTP response code as per [Section 5.1](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1) of UDAP Dynamic Client Registration",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success" hl7.fhir.us.udap-security_1.0.0,111,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"[When responding to an authorization request that has been granted] 5.1 The top-level elements of the response SHALL include the client_id issued by the Authorization Server for use by the Client App, the software statement as submitted by the Client App, and all of the registration related parameters that were included in the software statement",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents" hl7.fhir.us.udap-security_1.0.0,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,113,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is successful, the Authorization Server SHALL return a registration response ... including the unique `client_id` assigned by the Authorization Server to that client app.",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents" hl7.fhir.us.udap-security_1.0.0,114,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per [Section 5.2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.2) of UDAP Dynamic Client Registration.",SHALL,Server,,,,"1.2.01, 1.2.02, 2.2.01, 2.2.02","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_jwt_signature, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_jwt_signature" -hl7.fhir.us.udap-security_1.0.0,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,3.2.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_certification_handling hl7.fhir.us.udap-security_1.0.0,117,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers MAY require registration requests to include one or more certifications.,MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,118,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,"If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the `udap_certifications_required` element of its UDAP metadata.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,118,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,"If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the `udap_certifications_required` element of its UDAP metadata.",SHALL,Server,,,,3.2.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_certification_handling hl7.fhir.us.udap-security_1.0.0,119,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement containing the same `iss` value as an earlier software statement but with a different set of claims or claim values, or with a different (possibly empty) set of optional certifications and endorsements, the server SHALL treat this as a request to modify the registration parameters for the client application by replacing the information from the previous registration request with the information included in the new request.",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success" hl7.fhir.us.udap-security_1.0.0,120,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the registration modification request is accepted, the Authorization Server SHOULD return the same `client_id` in the registration response as for the previous registration.",SHOULD,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,121,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If it returns a different `client_id` [in response to a registration modification request], it SHALL cancel the registration for the previous `client_id`.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,121,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If it returns a different `client_id` [in response to a registration modification request], it SHALL cancel the registration for the previous `client_id`.",SHALL,Server,,,,3.2.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_client_id_modification hl7.fhir.us.udap-security_1.0.0,122,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement that contains an empty `grant_types` array from a previously registered application, the server SHOULD interpret this as a request to cancel the previous registration.",SHOULD,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,124,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns the same client_id in the registration response for a modification request, it SHOULD also return a `200 OK` HTTP response code.",SHOULD,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,125,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns a new `client_id` in the registration response, the client application SHALL use only the new `client_id` in subsequent transactions with the Authorization Server.",SHOULD,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,131,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications .. MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,133,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2) of RFC 6749.,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received" hl7.fhir.us.udap-security_1.0.0,134,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request ]if the resource owner grants the access request… the `code` parameter [is] `REQUIRED`,SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received -hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage +hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage hl7.fhir.us.udap-security_1.0.0,138,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"[When responding to an authorization request i]f the resource owner grants the access request… the `state` parameter [is] `REQUIRED`if the ""state"" parameter was present in the client authorization request",SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received -hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" hl7.fhir.us.udap-security_1.0.0,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange -hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.",SHALL,Server,,,,3.3.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_lifetime hl7.fhir.us.udap-security_1.0.0,190,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2).,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received" hl7.fhir.us.udap-security_1.0.0,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,230,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Authorization Servers MAY issue refresh tokens to B2B [and consumer-facing] client applications that use the authorization code grant type as per [Section 5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5),MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,3.8.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_metadata_validation +hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,3.8.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_dynamic_registration hl7.fhir.us.udap-security_1.0.0,240,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP, the data holder MAY reject the client app’s authorization request",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,true,,,"","" -hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,3.6.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_redirection_uri hl7.fhir.us.udap-security_1.0.0,243,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP ... the data holder MAY attempt to authenticate the user with a different trusted IdP or its own IdP, and MAY interact with the user to determine a suitable alternative",MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.8.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_authentication_request +hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,252,https://www.udap.org/udap-user-auth-stu1.html,"[When UDAP Tiered OAuth for User Authentication is being requested] If... [the “openid” and “udap”] scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow.",SHOULD NOT,server,,,,"","" hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,"","" hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,"","" @@ -138,27 +138,27 @@ hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_state_mismatch_error hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,3.6.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_valid_state_error_response +hl7.fhir.us.udap-security_1.0.0,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,3.7.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.8.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_token_exchange +hl7.fhir.us.udap-security_1.0.0,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,3.5.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_id_token_validation +hl7.fhir.us.udap-security_1.0.0,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,"3.5.02, 3.5.03","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_access_token_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation" +hl7.fhir.us.udap-security_1.0.0,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,3.5.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation +hl7.fhir.us.udap-security_1.0.0,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,3.5.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation hl7.fhir.us.udap-security_1.0.0,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication.,SHALL NOT,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_unauthenticated_clients hl7.fhir.us.udap-security_1.0.0,289,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ... -Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,"","" +Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,3.5.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_id_token_validation hl7.fhir.us.udap-security_1.0.0,290,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ... -Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,"","" +Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,3.5.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_access_token_validation +hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,3.6.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_id_token_error hl7.fhir.us.udap-security_1.0.0,292,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"When an ID Token has been returned and validated, the data holder SHOULD use the ID Token to attempt to match the authenticated user to a user or role in its own system, as appropriate for the resources requested.",SHOULD,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,293,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"the data holder can attempt to map the pair (`iss`,`sub`) to a known users in the data holder’s system.",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,294,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder has previously performed this mapping or has otherwise bound the pair (`iss`,`sub`) to a local user or role, it MAY rely on this previous mapping for subsequent authentications",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,295,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,the data holder MAY interact with the user following the redirection from the IdP back to the data holder’s redirection URI to increase confidence in the [role] resolution process.,MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_unauthenticated_user_error hl7.fhir.us.udap-security_1.0.0,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,"","" diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb index 5595964..e269b20 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -10,7 +10,7 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test is a Confidential Client. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144', - 'openid.connect.core@280' + 'hl7.fhir.us.udap-security_1.0.0@280' input :token_request_authentication_correctly, title: 'Authenticates correctly when making token requests', From 2dc1d49ea9df241df12e42af61b937ce87bb6f8b Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Tue, 15 Jul 2025 16:55:16 -0400 Subject: [PATCH 08/13] Fix indentations; added some links --- .../client/client_authorization_code_usage_test.rb | 8 +++++--- .../client/jti_reuse_prevention_test.rb | 4 ++-- .../client/metadata_interpretation_test.rb | 6 +++--- .../client/preferred_identity_provider_test.rb | 4 ++-- .../client/private_key_authentication_test.rb | 10 ++++++---- .../client/token_request_authentication_test.rb | 14 ++++++++------ .../access_token_validation_test.rb | 4 ++-- .../id_token_validation_test.rb | 4 ++-- .../token_response_validation_test.rb | 4 ++-- .../idp_dynamic_registration_test.rb | 4 ++-- .../idp_metadata_validation_test.rb | 4 ++-- .../authentication_request_construction_test.rb | 8 ++++---- .../authentication_request_validation_test.rb | 10 +++++----- .../csrf_protection_test.rb | 4 ++-- .../unauthenticated_client_security_test.rb | 4 ++-- 15 files changed, 49 insertions(+), 43 deletions(-) diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb index 6852db4..a8b8a1e 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb @@ -4,8 +4,9 @@ class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test id :udap_security_client_auth_code_usage description %( Client application uses the authorization code correctly by: - - Ensuring the authorization code is not used more than once. - - Requesting an authorization code as per Section 4.1.1 of RFC 6749. + - Ensuring the authorization code is not used more than once. + - Requesting an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) + of RFC 6749. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@136', 'hl7.fhir.us.udap-security_1.0.0@188' @@ -15,7 +16,8 @@ class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test description: %( I attest that the client application uses the authorization code correctly by: - Ensuring the authorization code is not used more than once. - - Requesting an authorization code as per Section 4.1.1 of RFC 6749. + - Requesting an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) + of RFC 6749. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb index a0499c1..cf879d8 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb @@ -4,8 +4,8 @@ class JTIReusePreventionAttestationTest < Inferno::Test id :udap_security_jti_reuse_prevention description %( Client application prevents reuse of JTI values in authentication tokens by: - - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified - in the `exp` claim has passed. + - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified + in the `exp` claim has passed. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb index b5fdb21..ad8d644 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb @@ -4,9 +4,9 @@ class MetadataInterpretationAttestationTest < Inferno::Test id :udap_security_metadata_interpretation description %( Client application interprets metadata correctly by: - - Interpreting an empty array value in metadata as indicating that the corresponding capability is - NOT supported by the server. - - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. + - Interpreting an empty array value in metadata as indicating that the corresponding capability is + NOT supported by the server. + - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@20', 'hl7.fhir.us.udap-security_1.0.0@21' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb index 5181c20..35b1746 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb @@ -4,8 +4,8 @@ class PreferredIdentityProviderAttestationTest < Inferno::Test id :udap_security_preferred_idp description %( Client application indicates the preferred Identity Provider (IdP) to the data holder by: - - Adding `udap` to the list of scopes provided in the `scope` query parameter. - - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. + - Adding `udap` to the list of scopes provided in the `scope` query parameter. + - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236', 'hl7.fhir.us.udap-security_1.0.0@237' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb index 8a8068e..1d15db7 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb @@ -3,9 +3,10 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test title 'Uses private key authentication correctly' id :udap_security_private_key_authentication description %( - Client application uses private key authentication correctly by: - - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating - with a private key and Authentication Token. + Client application uses private key authentication correctly as per + Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) by: + - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating + with a private key and Authentication Token. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@164', 'hl7.fhir.us.udap-security_1.0.0@224' @@ -13,7 +14,8 @@ class PrivateKeyAuthenticationAttestationTest < Inferno::Test input :private_key_authentication_correctly, title: 'Uses private key authentication correctly', description: %( - I attest that the client application uses private key authentication correctly by: + I attest that the client application uses private key authentication correctly as per + Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) by: - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating with a private key and Authentication Token. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb index e269b20..d5af6a4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb @@ -3,11 +3,12 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test title 'Authenticates correctly when making token requests' id :udap_security_token_request_authentication description %( - Client application authenticates correctly when making token requests by: - - Including the `client_id` parameter in the token request if the client is not authenticating with the - authorization server. - - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client - is a Confidential Client. + Client application authenticates correctly when making token requests as described in + [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) by: + - Including the `client_id` parameter in the token request if the client is not authenticating with the + authorization server. + - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client + is a Confidential Client. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144', 'hl7.fhir.us.udap-security_1.0.0@280' @@ -15,7 +16,8 @@ class TokenRequestAuthenticationAttestationTest < Inferno::Test input :token_request_authentication_correctly, title: 'Authenticates correctly when making token requests', description: %( - I attest that the client application authenticates correctly when making token requests by: + I attest that the client application authenticates correctly when making token requests as + described in in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) by: - Including the `client_id` parameter in the token request if the client is not authenticating with the authorization server. - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb index 6b4328b..8fc3cc2 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb @@ -5,8 +5,8 @@ class AccessTokenValidationAttestationTest < Inferno::Test description %( Data Holder validates the Access Token as per the Access Token validation rules, including: - - Verifying the token's integrity. - - Checking claims such as `exp` and other relevant attributes. + - Verifying the token's integrity. + - Checking claims such as `exp` and other relevant attributes. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283', 'hl7.fhir.us.udap-security_1.0.0@290' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb index 4c2705c..56ae333 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb @@ -4,8 +4,8 @@ class IDTokenValidationAttestationTest < Inferno::Test id :udap_security_id_token_validation description %( Data Holder validates the ID Token as per OIDC Core specifications, including: - - Verifying the token's signature. - - Checking claims such as `iss`, `aud`, and `exp`. + - Verifying the token's signature. + - Checking claims such as `iss`, `aud`, and `exp`. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@282', 'hl7.fhir.us.udap-security_1.0.0@289' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb index 3af50b9..03b47a6 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb @@ -4,8 +4,8 @@ class TokenResponseValidationAttestationTest < Inferno::Test id :udap_security_token_response_validation description %( Client validates the Token Response as per RFC 6749 and OIDC Core specifications, including: - - Ensuring the presence of `access_token` and `token_type` parameters. - - Validating the response structure and data integrity. + - Ensuring the presence of `access_token` and `token_type` parameters. + - Validating the response structure and data integrity. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283', 'hl7.fhir.us.udap-security_1.0.0@284', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb index 86a618b..bf13bf8 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb @@ -4,8 +4,8 @@ class IdPDynamicRegistrationAttestationTest < Inferno::Test id :udap_security_idp_dynamic_registration description %( Data Holder registers as a client with the IdP if: - - The IdP is trusted. - - The IdP supports UDAP Dynamic Registration. + - The IdP is trusted. + - The IdP supports UDAP Dynamic Registration. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@239' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb index f6d2eff..b2b852c 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb @@ -4,8 +4,8 @@ class IdPMetadataValidationAttestationTest < Inferno::Test id :udap_security_idp_metadata_validation description %( Data Holder validates the IdP’s UDAP metadata to determine trustworthiness, including: - - Verifying the authenticity of the metadata. - - Ensuring the metadata meets UDAP specifications. + - Verifying the authenticity of the metadata. + - Ensuring the metadata meets UDAP specifications. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@238' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb index d8db54b..6370a79 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb @@ -4,10 +4,10 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test id :oidc_auth_request_construction description %( Authorization Server complies ith OpenID Connect requirements and ensures: - - HTTP GET and POST methods are supported at the Authorization Endpoint. - - The `openid` scope value is included in requests. - - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. - - The `redirect_uri` exactly matches pre-registered values. + - HTTP GET and POST methods are supported at the Authorization Endpoint. + - The `openid` scope value is included in requests. + - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. + - The `redirect_uri` exactly matches pre-registered values. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@246', 'hl7.fhir.us.udap-security_1.0.0@247', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb index b03a413..984d065 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb @@ -4,11 +4,11 @@ class AuthenticationRequestValidationAttestationTest < Inferno::Test id :oidc_auth_request_validation description %( Authorization Server complies with OpenID Connect requirements and ensures: - - Validation of all OAuth 2.0 parameters. - - Verification that the `scope` parameter contains the `openid` value. - - Required parameters are present and conform to the specification. - - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. - - Implementation of CSRF and Clickjacking protections. + - Validation of all OAuth 2.0 parameters. + - Verification that the `scope` parameter contains the `openid` value. + - Required parameters are present and conform to the specification. + - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter. + - Implementation of CSRF and Clickjacking protections. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@258', 'hl7.fhir.us.udap-security_1.0.0@259', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb index cb43929..6530ab1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -4,8 +4,8 @@ class CSRFProtectionAttestationTest < Inferno::Test id :udap_security_csrf_protection description %( Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: - - Use of anti-CSRF tokens. - - Validation of `state` parameter to prevent cross-site request forgery. + - Use of anti-CSRF tokens. + - Validation of `state` parameter to prevent cross-site request forgery. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278' diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb index 43f2af8..9065d66 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb @@ -5,8 +5,8 @@ class UnauthenticatedClientSecurityAttestationTest < Inferno::Test description %( I attest that the Authorization Server considers security implications when interacting with unauthenticated clients, including: - - Restricting access to sensitive endpoints. - - Implementing rate limiting or other protective measures. + - Restricting access to sensitive endpoints. + - Implementing rate limiting or other protective measures. ) verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@288' From ce1df91309a7be56227aeacacc07f16782d7067f Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Tue, 15 Jul 2025 17:46:01 -0400 Subject: [PATCH 09/13] Separate tests --- ...b2b_authorization_extension_object_test.rb | 112 +++--------------- .../client_security_csrf_protection_test.rb | 70 ++--------- .../data_holder_auth_request_scope_test.rb | 42 +++++++ .../idp_authentication_compliance_test.rb | 44 +++++++ ...opes_identity_provider_interaction_test.rb | 106 ----------------- .../software_statement_registration_test.rb | 51 ++------ .../client/validation_confidentiality_test.rb | 46 ++----- 7 files changed, 131 insertions(+), 340 deletions(-) create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb delete mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb index dcf41a1..7e3a059 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -19,11 +19,17 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@220', 'hl7.fhir.us.udap-security_1.0.0@221' - input :subject_name_compliance, - title: 'Includes `subject_name` if known', + input :b2b_authorization_extension_object_compliance, + title: 'Complies with requirements for the B2B Authorization Extension Object', description: %( - I attest that the client application includes the `subject_name` parameter if it is known for human - or non-human requestors. + I attest that the client applications complies with requirements for the B2B Authorization Extension Object + and: + - Includes `subject_name` parameter if it is known for human or non-human requestors. + - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present. + - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US + Realm. + - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party + - Omits `consent_reference` if `consent_policy` is not present. ), type: 'radio', default: 'false', @@ -39,103 +45,17 @@ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test } ] } - input :subject_name_compliance_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :subject_id_compliance, - title: 'Includes `subject_id` for human requestors when `subject_name` is present', - description: %( - I attest that the client application includes the `subject_id` parameter for human requestors when the - `subject_name` parameter is present. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :subject_id_compliance_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :subject_id_npi_compliance, - title: 'Uses NPI for `subject_id` in US Realm human requestors', - description: %( - I attest that the client application uses the National Provider Identifier (NPI) as the value for - `subject_id` for human requestors in the US Realm. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :subject_id_npi_compliance_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :consent_reference_compliance, - title: 'Ensures `consent_reference` URLs are resolvable', - description: %( - I attest that the client application ensures that the `consent_reference` parameter includes URLs that - are resolvable by the receiving party and omits `consent_reference` if `consent_policy` is not present. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :consent_reference_compliance_note, + input :b2b_authorization_extension_object_compliance_note, title: 'Notes, if applicable:', type: 'textarea', optional: true run do - assert subject_name_compliance == 'true', - 'Client application did not include `subject_name` when it was known.' - pass subject_name_compliance_note if subject_name_compliance_note.present? - - assert subject_id_compliance == 'true', - 'Client application did not include `subject_id` for human requestors when `subject_name` was present.' - pass subject_id_compliance_note if subject_id_compliance_note.present? - - assert subject_id_npi_compliance == 'true', - 'Client application did not use NPI for `subject_id` for human requestors in the US Realm.' - pass subject_id_npi_compliance_note if subject_id_npi_compliance_note.present? - - assert consent_reference_compliance == 'true', - 'Client application did not ensure `consent_reference` URLs were resolvable or omitted `consent_reference` - when `consent_policy` was not present.' - pass consent_reference_compliance_note if consent_reference_compliance_note.present? + assert b2b_authorization_extension_object_compliance == 'true', + 'Client application did not comply with requirements for the B2B Authorization Extension Object.' + if b2b_authorization_extension_object_compliance_note.present? + pass b2b_authorization_extension_object_compliance_note + end end end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb index 717fc54..0565cbd 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb @@ -14,10 +14,13 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@277' input :csrf_protection_implementation, - title: 'Implements CSRF protection for its redirection URI', + title: 'Complies with the requirements for Client Security and CSRF Protection', description: %( - I attest that the client application implements CSRF protection for its redirection URI to prevent - cross-site request forgery attacks. + I attest that the client application complies with the requirements for Client Security and CSRF Protection: + - Implements CSRF protection for its redirection URI. + - Uses a binding value for CSRF protection that contains a non-guessable value. + - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by + the same-origin policy. ), type: 'radio', default: 'false', @@ -38,69 +41,10 @@ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test type: 'textarea', optional: true - input :csrf_binding_value_compliance, - title: 'Uses a non-guessable binding value for CSRF protection', - description: %( - I attest that the client application uses a binding value for CSRF protection that contains a non-guessable - value to ensure security. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :csrf_binding_value_compliance_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :authenticated_state_protection, - title: 'Ensures authenticated state is protected by same-origin policy', - description: %( - I attest that the client application ensures the user-agent's authenticated state is stored in a location - accessible only to the client and user-agent, protected by the same-origin policy. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :authenticated_state_protection_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - run do assert csrf_protection_implementation == 'true', - 'Client application did not implement CSRF protection for its redirection URI.' + 'Client application did not comply with the requirements for Client Security and CSRF Protection.' pass csrf_protection_implementation_note if csrf_protection_implementation_note.present? - - assert csrf_binding_value_compliance == 'true', - 'Client application did not use a non-guessable binding value for CSRF protection.' - pass csrf_binding_value_compliance_note if csrf_binding_value_compliance_note.present? - - assert authenticated_state_protection == 'true', - 'Client application did not ensure the user-agent\'s authenticated state is protected by the same-origin - policy.' - pass authenticated_state_protection_note if authenticated_state_protection_note.present? end end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb new file mode 100644 index 0000000..4b47adb --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class DataHolderAuthRequestScopeAttestationTest < Inferno::Test + title 'Data Holder Authentication Request Contains `openid` and `udap` Scopes' + id :udap_security_data_holder_auth_request_scope + description %( + Data holder's authentication request to the Identity Provider includes both + `openid` and `udap` in the `scope` query parameter. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@256' + + input :auth_request_scope_contains_openid_udap, + title: 'Authentication request `scope` contains `openid` and `udap`', + description: %( + I attest that the data holder's authentication request to the Identity Provider includes both + `openid` and `udap` in the `scope` query parameter. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :auth_request_scope_contains_openid_udap_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert auth_request_scope_contains_openid_udap == 'true', + 'Authentication request did not include both `openid` and `udap` in the `scope` query parameter.' + pass auth_request_scope_contains_openid_udap_note if auth_request_scope_contains_openid_udap_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb new file mode 100644 index 0000000..db542de --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb @@ -0,0 +1,44 @@ +module UDAPSecurityTestKit + class IdPAuthenticationComplianceAttestationTest < Inferno::Test + title 'Identity Provider Authenticates User per OIDC Core and UDAP Tiered OAuth' + id :udap_security_idp_authentication_compliance + description %( + The Identity Provider authenticates the user according to + [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) + and Sections 4.1 - 4.2 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html). + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@257' + + input :idp_authenticates_per_spec, + title: 'IdP authenticates user per OIDC Core and UDAP Tiered OAuth', + description: %( + I attest that the Identity Provider authenticates the user according to + [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) + and Sections 4.1 - 4.2 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html). + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + input :idp_authenticates_per_spec_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert idp_authenticates_per_spec == 'true', + 'Identity Provider did not authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications.' + pass idp_authenticates_per_spec_note if idp_authenticates_per_spec_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb deleted file mode 100644 index bb3b4ea..0000000 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/scopes_identity_provider_interaction_test.rb +++ /dev/null @@ -1,106 +0,0 @@ -module UDAPSecurityTestKit - class ScopesAndIdentityProviderInteractionAttestationTest < Inferno::Test - title 'Complies with Scopes and Identity Provider Interaction' - id :udap_security_scopes_identity_provider_interaction - description %( - Client applications complies with the requirements for Scopes and Identity Provider Interaction: - - Client application includes `udap` in the list of scopes provided in the `scope` query - parameter to indicate the preferred Identity Provider. - - Client application authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. - - Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered OAuth specifications. - ) - verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236', - 'hl7.fhir.us.udap-security_1.0.0@256', - 'hl7.fhir.us.udap-security_1.0.0@257' - - input :scope_includes_udap, - title: 'Includes `udap` in the `scope` query parameter', - description: %( - I attest that the client application includes `udap` in the list of scopes provided in the `scope` query - parameter to indicate the preferred Identity Provider. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :scope_includes_udap_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :scope_contains_openid_udap, - title: 'Ensures `scope` query parameter contains `openid` and `udap`', - description: %( - I attest that the client application ensures the `scope` query parameter of the authentication request - contains at least the values `openid` and `udap`. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :scope_contains_openid_udap_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :idp_authentication_compliance, - title: 'Authenticates user as per OIDC Core and UDAP Tiered OAuth specifications', - description: %( - I attest that the Identity Provider authenticates the user according to the OIDC Core and UDAP Tiered - OAuth specifications. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :idp_authentication_compliance_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - run do - assert scope_includes_udap == 'true', - 'Client application did not include `udap` in the `scope` query parameter to indicate the preferred - Identity Provider.' - pass scope_includes_udap_note if scope_includes_udap_note.present? - - assert scope_contains_openid_udap == 'true', - 'Client application did not ensure the `scope` query parameter contains at least `openid` and `udap`.' - pass scope_contains_openid_udap_note if scope_contains_openid_udap_note.present? - - assert idp_authentication_compliance == 'true', - 'Identity Provider did not authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications.' - pass idp_authentication_compliance_note if idp_authentication_compliance_note.present? - end - end -end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb index fdedf73..8a435e4 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb @@ -3,7 +3,7 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test title 'Complies with Software Statement and Registration' id :udap_security_software_statement_registration description %( - Client complies with the requirements for Software Statement and Registration: + Client application complies with the requirements for Software Statement and Registration: - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT before the time specified in the `exp` claim has passed. - Interprets a registration response containing an empty `grant_types` array as a confirmation that the @@ -12,11 +12,14 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@82', 'hl7.fhir.us.udap-security_1.0.0@123' - input :jti_reuse_compliance, - title: 'Ensures that the `jti` claim in the JWT is not reused before the `exp` claim has passed', + input :software_statement_registration_compliance, + title: 'Complies with the requirements for Software Statement and Registration', description: %( - I attest that the client application ensures that the `jti` claim in the JWT is not reused in another - software statement or authentication JWT before the time specified in the `exp` claim has passed. + I attest that the client application complies with the requirements for Software Statement and Registration: + - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT + before the time specified in the `exp` claim has passed. + - Interprets a registration response containing an empty `grant_types` array as a confirmation that the + registration for the `client_id` listed in the response has been cancelled by the Authorization Server. ), type: 'radio', default: 'false', @@ -32,45 +35,15 @@ class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test } ] } - input :jti_reuse_compliance_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :grant_types_empty_array_compliance, - title: 'Interprets empty `grant_types` array as registration cancellation', - description: %( - I attest that the client application interprets a registration response containing an empty `grant_types` - array as a confirmation that the registration for the `client_id` listed in the response has been - cancelled by the Authorization Server. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :grant_types_empty_array_compliance_note, + input :software_statement_registration_compliance_note, title: 'Notes, if applicable:', type: 'textarea', optional: true run do - assert jti_reuse_compliance == 'true', - 'Client application reused the `jti` claim before the `exp` claim has passed.' - pass jti_reuse_compliance_note if jti_reuse_compliance_note.present? - - assert grant_types_empty_array_compliance == 'true', - 'Client application did not interpret an empty `grant_types` array as registration cancellation.' - pass grant_types_empty_array_compliance_note if grant_types_empty_array_compliance_note.present? + assert software_statement_registration_compliance == 'true', + 'Client application did not comply with the requirements for Software Statement and Registration.' + pass software_statement_registration_compliance_note if software_statement_registration_compliance_note.present? end end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb index 5a21b65..57fe724 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb @@ -12,11 +12,14 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@274', 'hl7.fhir.us.udap-security_1.0.0@286' - input :state_parameter_validation, - title: 'Complies with Validation and Confidentiality', + input :validation_confidentiality_compliance, + title: 'Complies with requirements for Validation and Confidentiality', description: %( - I attest that the client application validates the `state` parameter returned by the Resource Holder in - response to an authorization request to ensure it matches the value sent in the original request. + I attest that the client applications complies with the requirements for Validation and Confidentiality: + - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to + ensure it matches the value sent in the original request. + - Ensures confidentiality of client passwords and other client credentials by securely storing and + transmitting them. ), type: 'radio', default: 'false', @@ -32,44 +35,15 @@ class ValidationAndConfidentialityAttestationTest < Inferno::Test } ] } - input :state_parameter_validation_note, - title: 'Notes, if applicable:', - type: 'textarea', - optional: true - - input :client_credentials_confidentiality, - title: 'Ensures confidentiality of client passwords and credentials', - description: %( - I attest that the client application ensures confidentiality of client passwords and other client - credentials by securely storing and transmitting them. - ), - type: 'radio', - default: 'false', - options: { - list_options: [ - { - label: 'Yes', - value: 'true' - }, - { - label: 'No', - value: 'false' - } - ] - } - input :client_credentials_confidentiality_note, + input :validation_confidentiality_compliance_note, title: 'Notes, if applicable:', type: 'textarea', optional: true run do - assert state_parameter_validation == 'true', + assert validation_confidentiality_compliance == 'true', 'Client application did not validate the `state` parameter returned by the Resource Holder.' - pass state_parameter_validation_note if state_parameter_validation_note.present? - - assert client_credentials_confidentiality == 'true', - 'Client application did not ensure confidentiality of client passwords and other client credentials.' - pass client_credentials_confidentiality_note if client_credentials_confidentiality_note.present? + pass validation_confidentiality_compliance_note if validation_confidentiality_compliance_note.present? end end end From 5eebe31561ae0584022fc2eccbdd687b4c6254f4 Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Wed, 16 Jul 2025 23:33:01 -0400 Subject: [PATCH 10/13] Added coverage --- ..._security_client_requirements_coverage.csv | 72 +++++++++---------- .../udap_security_requirements_coverage.csv | 60 ++++++++-------- ...b2b_authorization_extension_object_test.rb | 36 +++++++--- .../client/cryptographic_algorithms_test.rb | 44 ++++++++++++ .../client/oauth2_protocol_compliance_test.rb | 50 +++++++++++++ .../resource_holder_authentication_test.rb | 45 ++++++++++++ .../client_attestation_group.rb | 12 +++- .../server/authentication_requests_group.rb | 13 ++++ ...uthentication_request_construction_test.rb | 7 +- .../authentication_request_validation_test.rb | 4 +- ...authorization_code_token_requests_group.rb | 2 + ...resource_holder_authorization_flow_test.rb | 37 ++++++++++ .../server/client_authentication_group.rb | 13 ++++ .../client_certificate_storage_test.rb | 36 ++++++++++ .../no_client_credentials_native_apps_test.rb | 38 ++++++++++ .../server/error_handling_group.rb | 8 +++ .../deny_token_request_test.rb | 42 +++++++++++ .../general_error_response_test.rb | 39 ++++++++++ .../error_handling_group/invalid_idp_test.rb | 39 ++++++++++ .../error_handling_group/prompt_none_test.rb | 39 ++++++++++ .../server/jwt_security_group.rb | 19 +++++ .../jwt_certificate_chain_validation_test.rb | 36 ++++++++++ .../jwt_grant_parameter_validation_test.rb | 36 ++++++++++ .../jwt_security_group/jwt_jti_reuse_test.rb | 35 +++++++++ .../jwt_signature_validation_test.rb | 36 ++++++++++ .../jwt_token_request_validation_test.rb | 43 +++++++++++ ...d_connect_authentication_requests_group.rb | 13 ---- .../server/security_measures_group.rb | 4 ++ .../csrf_protection_test.rb | 18 +++-- .../obtain_authorization_scopes_test.rb | 44 ++++++++++++ .../state_parameter_test.rb | 48 +++++++++++++ .../server_attestation_group.rb | 8 ++- 32 files changed, 872 insertions(+), 104 deletions(-) create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb rename lib/udap_security_test_kit/visual_inspection_and_attestation/server/{openid_connect_authentication_requests_group => authentication_requests_group}/authentication_request_construction_test.rb (83%) rename lib/udap_security_test_kit/visual_inspection_and_attestation/server/{openid_connect_authentication_requests_group => authentication_requests_group}/authentication_request_validation_test.rb (92%) create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb delete mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb create mode 100644 lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb diff --git a/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv index 6ce183a..496da41 100644 --- a/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv +++ b/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv @@ -2,16 +2,16 @@ hl7.fhir.us.udap-security_1.0.0,1,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: SHALL conform to the mandatory requirements of [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,2,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be JSON Web Signatures conforming to the mandatory requirements of [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,3,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be serialized using JWS Compact Serialization as per [Section 7.1](https://datatracker.ietf.org/doc/html/rfc7515#section-7.1) of RFC 7515.,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" -hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,"","" +hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,5.02,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_crypto_algorithms_and_protocols hl7.fhir.us.udap-security_1.0.0,5,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations **SHOULD** support `ES256`[as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)],SHOULD,"Server,Client",,,,"","" hl7.fhir.us.udap-security_1.0.0,6,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,[Implementations] **MAY** support `ES384` and/or `RS384` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,MAY,"Server,Client",,,,"","" hl7.fhir.us.udap-security_1.0.0,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`. An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,16,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"If a server returns a `404 Not Found` response to a `GET` request to the UDAP metadata endpoint, the client application SHOULD conclude that the server does not support UDAP workflows.",SHOULD,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation -hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation +hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation +hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation hl7.fhir.us.udap-security_1.0.0,60,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[A] client application MAY add the optional query parameter `community` to the metadata request URL described in [Section 2.1](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints) to indicate that it trusts certificates issued by the community identified by the parameter value.,MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_trust_community_query_parameters +hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,5.17,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_trust_community_query_parameters hl7.fhir.us.udap-security_1.0.0,66,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,67,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.,SHALL,Client,,,,"3.02, 3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,69,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a `client_id`,MAY,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" @@ -27,7 +27,7 @@ hl7.fhir.us.udap-security_1.0.0,78,https://hl7.org/fhir/us/udap-security/STU1/re hl7.fhir.us.udap-security_1.0.0,79,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `exp`... SHALL be no more than 5 minutes after the value of the `iat` claim.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,80,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `iat` [is] `required`[and is the] Issued time integer for this software statement, expressed in seconds since the ""Epoch""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,81,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` [is] `required`[and is a] nonce string value that uniquely identifies this software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" -hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration +hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration hl7.fhir.us.udap-security_1.0.0,83,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `client_name` [is] `required`[and is a] string containing the human readable name of the client application,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,84,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be present if grant_types includes `authorization_code`,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification hl7.fhir.us.udap-security_1.0.0,85,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be absent [if the `grant_types` claim does not include `authorization_code`].,SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification @@ -48,7 +48,7 @@ hl7.fhir.us.udap-security_1.0.0,101,https://hl7.org/fhir/us/udap-security/STU1/r hl7.fhir.us.udap-security_1.0.0,102,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL ... uniquely identify a single client app operator and application over time.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,103,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the `aud` claim SHALL list the URL of the OAuth Server’s registration endpoint",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" hl7.fhir.us.udap-security_1.0.0,104,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, … the lifetime of the software statement (`exp` minus `iat`) SHALL be 5 minutes.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification" -hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration +hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration hl7.fhir.us.udap-security_1.0.0,126,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#consumer-facing,"Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow,",SHALL,Client,,,,3,udap_security_client-udap_client_access_ac hl7.fhir.us.udap-security_1.0.0,127,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,"Client applications SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification hl7.fhir.us.udap-security_1.0.0,128,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,"[When] The client constructs the request URI … the … parameter.. `response_type` [is] `required`[and the] value MUST be set to ""code""",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification @@ -56,12 +56,12 @@ hl7.fhir.us.udap-security_1.0.0,129,https://datatracker.ietf.org/doc/html/rfc674 hl7.fhir.us.udap-security_1.0.0,130,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope.,MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,132,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,[S]ervers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage -hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_oauth2_protocol_compliance hl7.fhir.us.udap-security_1.0.0,140,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token,"Client applications SHALL exchange authorization codes for access tokens as per [Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) of RFC 6749,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,141,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When] the client makes a request to the token endpoint… the `grant_type` [parameter is] `REQUIRED`[and the] Value MUST be set to ""authorization_code""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,142,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `code` [parameter is] `REQUIRED`[and is] the authorization code received from the authorization server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,143,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When t]he client makes a request to the token endpoint… the `redirect_uri` [parameter is] `REQUIRED`...if the ""redirect_uri"" parameter was included in the authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their values MUST be identical.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication +hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication hl7.fhir.us.udap-security_1.0.0,145,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,151,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,152,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification @@ -71,12 +71,12 @@ hl7.fhir.us.udap-security_1.0.0,155,https://hl7.org/fhir/us/udap-security/STU1/c hl7.fhir.us.udap-security_1.0.0,156,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `exp` parameter [is] `required` [and is the e]xpiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC)",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,157,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `iat` parameter [is] `required` [and is the i]ssued time integer for this authentication JWT, expressed in seconds since the ""Epoch""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,158,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `jti` parameter [is] `required` [and is a] nonce string value that uniquely identifies this authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.03,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_jti_reuse_prevention +hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_jti_reuse_prevention hl7.fhir.us.udap-security_1.0.0,160,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of `exp` minus the value of `iat` SHALL NOT exceed 300 seconds.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,161,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,The Authentication Token SHALL be signed and serialized using the JSON compact serialization method..,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_oauth2_protocol_compliance hl7.fhir.us.udap-security_1.0.0,163,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client applications authenticating with a private key and Authentication Token as per Section [4.2.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the [token request]... parameters as per Section 5.1 of UDAP JWT-Based Client Authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication +hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication hl7.fhir.us.udap-security_1.0.0,165,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `grant_type` [parameter is] `required`[and SHALL contain the f]ixed value: `authorization_code`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,166,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `code` [parameter is] `required`[and SHALL contain the] code that the app received from the Authorization Server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,167,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"[When authenticating with a private key and Authentication Token] the `redirect_uri` [parameter is] `conditional`… SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification @@ -92,7 +92,7 @@ hl7.fhir.us.udap-security_1.0.0,180,https://www.udap.org/udap-jwt-client-auth.ht hl7.fhir.us.udap-security_1.0.0,181,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] A maximum AnT lifetime of 5 minutes is RECOMMENDED,SHOULD,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,185,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,B2B client applications registered to use the authorization code grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow described in [Section 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) of RFC 6749,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,186,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,Client applications registered to use the client credentials grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 client credentials grant flow described in [Section 4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) of RFC 6749,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage hl7.fhir.us.udap-security_1.0.0,192,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,"The client SHALL use its private key to sign an Authentication Token..., and include this JWT in the `client_assertion` parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in [Section 5.2.2](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request) of this guide",SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,193,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `sub` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" @@ -101,28 +101,28 @@ hl7.fhir.us.udap-security_1.0.0,195,https://hl7.org/fhir/us/udap-security/STU1/b hl7.fhir.us.udap-security_1.0.0,196,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `iat` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,197,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `jti` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification" hl7.fhir.us.udap-security_1.0.0,198,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and] The HL7 B2B Authorization Extension Object ...is required for B2B client apps using the client_credentials flow,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,"","" +hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,202,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `version` [is] `required` [with a] String with fixed value: ""1""",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,"","" +hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,210,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` [and is a] string containing the human readable name of the organizational requestor. If a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,211,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` … if a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,212,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] SHALL be a Uniform Resource Identifier (URI).,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client,Trust Community",,,,"","" +hl7.fhir.us.udap-security_1.0.0,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client,Trust Community",,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,214,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required`... If a URL is used, the issuer SHALL include a URL that is resolvable by the receiving party.",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,215,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `purpose_of_use` [is] `required`.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,217,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_policy` [is] `optional`[and SHALL contain] an array of one or more strings, each containing a URI identifiying a privacy consent directive policy or other policy consistent with the value of the purpose_of_use parameter.",MAY,Client,,,,"","" hl7.fhir.us.udap-security_1.0.0,218,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and SHALL contain a]n array of one or more strings, each containing an absolute URL consistent with a [literal reference](https://www.hl7.org/fhir/R4/references.html#literal) to a FHIR [Consent](https://www.hl7.org/fhir/R4/consent.html) or [DocumentReference](https://www.hl7.org/fhir/R4/documentreference.html) resource containing or referencing a privacy consent directive relevant to a purpose identified by the `purpose_of_use` parameter and the policy or policies identified by the `consent_policy` parameter.",MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object -hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object +hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object hl7.fhir.us.udap-security_1.0.0,222,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request,Client applications using the authorization code grant and authenticating with a private key and Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,223,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.2 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification -hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication +hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication hl7.fhir.us.udap-security_1.0.0,225,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `grant_type` parameter [is] `required` [and SHALL contain f]ixed value: `client_credentials`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,226,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion_type` parameter [is] `required` [and SHALL contain f]ixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification hl7.fhir.us.udap-security_1.0.0,227,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion` parameter [is] `required` [and SHALL contain] the signed Authentication Token JWT,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification @@ -131,16 +131,16 @@ hl7.fhir.us.udap-security_1.0.0,231,https://hl7.org/fhir/us/udap-security/STU1/b hl7.fhir.us.udap-security_1.0.0,232,https://datatracker.ietf.org/doc/html/rfc6749#section-6,"[When requesting a refresh token] the `grant_type` [parameter is] REQUIRED [and the ] Value MUST be set to ""refresh_token""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,233,https://datatracker.ietf.org/doc/html/rfc6749#section-7,[When requesting a refresh token] the `refresh_token` [parameter is] REQUIRED [and is ] The refresh token issued to the client,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification hl7.fhir.us.udap-security_1.0.0,234,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,"Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests [i.e., include the client_assertion_type and client_assertion fields as in the token request]",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification -hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,5.02,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_supports_scopes -hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,"5.05, 5.11","udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp, udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_scopes_identity_provider_interaction" -hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp +hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,5.03,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_supports_scopes +hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp +hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp hl7.fhir.us.udap-security_1.0.0,244,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[When authenticating the user a] client app that receives an error code of `invalid_idp` MAY attempt to obtain authorization again by specifying a different IdP base URL in the `idp` authorization request parameter, or by making a new authorization request without using the Tiered OAuth workflow.",MAY,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_scopes_identity_provider_interaction -hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_scopes_identity_provider_interaction -hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality -hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection -hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection -hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection -hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication -hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,"","" -hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality +hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,5.14,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_data_holder_auth_request_scope +hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,5.15,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_authentication_compliance +hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,5.16,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality +hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication +hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_resource_holder_token_endpoint_authentication +hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,5.16,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality diff --git a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv index 1d69de6..e108824 100644 --- a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +++ b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv @@ -57,7 +57,7 @@ hl7.fhir.us.udap-security_1.0.0,52,https://hl7.org/fhir/us/udap-security/STU1/di hl7.fhir.us.udap-security_1.0.0,53,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,The exp time [in the Server's signed JWT] SHALL be no more than 1 year after the value of the iat claim.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" hl7.fhir.us.udap-security_1.0.0,54,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `iat` [that is the] Issued time integer for this JWT, expressed in seconds since the ""Epoch""",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" hl7.fhir.us.udap-security_1.0.0,55,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `jti` [that is a] nonce string value that uniquely identifies this JWT.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" -hl7.fhir.us.udap-security_1.0.0,56,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,This [`jti`] value [in the Server's signed JWT] SHALL NOT be reused by the server in another JWT before the time specified in the exp claim has passed,SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,56,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,This [`jti`] value [in the Server's signed JWT] SHALL NOT be reused by the server in another JWT before the time specified in the exp claim has passed,SHALL,Server,,,,3.9.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_jti_reuse hl7.fhir.us.udap-security_1.0.0,57,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[In the JWT in the signed_metadata element SHALL contain, the claim] `authorization_endpoint`[is] REQUIRED if the authorization_endpoint parameter is included in the unsigned metadata",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" hl7.fhir.us.udap-security_1.0.0,58,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `token_endpoint`[which is a] string containing the absolute URL of the server's token endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" hl7.fhir.us.udap-security_1.0.0,59,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `registration_endpoint`[which is a] string containing the absolute URL of the server's registration endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents" @@ -75,7 +75,7 @@ hl7.fhir.us.udap-security_1.0.0,108,https://www.udap.org/udap-dynamic-client-reg hl7.fhir.us.udap-security_1.0.0,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation hl7.fhir.us.udap-security_1.0.0,110,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"If a new registration is successful, the Authorization Server SHALL return a registration response with a `201 Created` HTTP response code as per [Section 5.1](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1) of UDAP Dynamic Client Registration",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success" hl7.fhir.us.udap-security_1.0.0,111,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"[When responding to an authorization request that has been granted] 5.1 The top-level elements of the response SHALL include the client_id issued by the Authorization Server for use by the Client App, the software statement as submitted by the Client App, and all of the registration related parameters that were included in the software statement",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents" -hl7.fhir.us.udap-security_1.0.0,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,3.8.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_client_authentication_group-udap_security_client_certificate_storage hl7.fhir.us.udap-security_1.0.0,113,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is successful, the Authorization Server SHALL return a registration response ... including the unique `client_id` assigned by the Authorization Server to that client app.",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents" hl7.fhir.us.udap-security_1.0.0,114,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per [Section 5.2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.2) of UDAP Dynamic Client Registration.",SHALL,Server,,,,"1.2.01, 1.2.02, 2.2.01, 2.2.02","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_jwt_signature, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_jwt_signature" hl7.fhir.us.udap-security_1.0.0,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,3.2.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_certification_handling @@ -98,23 +98,23 @@ hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc674 hl7.fhir.us.udap-security_1.0.0,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" -hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,3.9.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_token_request_validation +hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,3.9.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_signature_validation +hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request +hl7.fhir.us.udap-security_1.0.0,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,"3.6.03, 3.9.05","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_certificate_chain_validation" +hl7.fhir.us.udap-security_1.0.0,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value.,SHALL,Server,,,,3.9.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_grant_parameter_validation +hl7.fhir.us.udap-security_1.0.0,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request hl7.fhir.us.udap-security_1.0.0,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.",SHALL,Server,,,,3.3.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_lifetime hl7.fhir.us.udap-security_1.0.0,190,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2).,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received" -hl7.fhir.us.udap-security_1.0.0,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,3.9.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_token_request_validation hl7.fhir.us.udap-security_1.0.0,230,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Authorization Servers MAY issue refresh tokens to B2B [and consumer-facing] client applications that use the authorization code grant type as per [Section 5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5),MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,3.8.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_metadata_validation -hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,3.8.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_dynamic_registration +hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,3.10.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_metadata_validation +hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,3.10.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_dynamic_registration hl7.fhir.us.udap-security_1.0.0,240,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP, the data holder MAY reject the client app’s authorization request",MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,true,,,"","" -hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,3.6.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_redirection_uri +hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,true,,,3.6.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_idp_error +hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,3.6.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_redirection_uri hl7.fhir.us.udap-security_1.0.0,243,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP ... the data holder MAY attempt to authenticate the user with a different trusted IdP or its own IdP, and MAY interact with the user to determine a suitable alternative",MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.8.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_authentication_request +hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.10.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_authentication_request hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction @@ -122,9 +122,9 @@ hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,252,https://www.udap.org/udap-user-auth-stu1.html,"[When UDAP Tiered OAuth for User Authentication is being requested] If... [the “openid” and “udap”] scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow.",SHOULD NOT,server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,3.3.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_authorization_code_flow +hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management +hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,"","" @@ -134,31 +134,31 @@ hl7.fhir.us.udap-security_1.0.0,263,https://openid.net/specs/openid-connect-core hl7.fhir.us.udap-security_1.0.0,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_state_mismatch_error -hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,3.6.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_valid_state_error_response +hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error +hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error +hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,3.7.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management +hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,3.6.06,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_state_mismatch_error +hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management +hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,3.6.08,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_valid_state_error_response hl7.fhir.us.udap-security_1.0.0,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,3.7.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection -hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.8.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_token_exchange +hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.10.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_token_exchange hl7.fhir.us.udap-security_1.0.0,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,3.5.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_id_token_validation hl7.fhir.us.udap-security_1.0.0,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,"3.5.02, 3.5.03","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_access_token_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation" hl7.fhir.us.udap-security_1.0.0,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,3.5.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation hl7.fhir.us.udap-security_1.0.0,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,3.5.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation -hl7.fhir.us.udap-security_1.0.0,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication.,SHALL NOT,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_unauthenticated_clients +hl7.fhir.us.udap-security_1.0.0,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication.,SHALL NOT,Server,,,,3.8.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_client_authentication_group-udap_security_no_client_credentials_native_apps +hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,3.7.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_unauthenticated_clients hl7.fhir.us.udap-security_1.0.0,289,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ... Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,3.5.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_id_token_validation hl7.fhir.us.udap-security_1.0.0,290,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ... Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,3.5.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_access_token_validation -hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,3.6.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_id_token_error +hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,3.6.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_id_token_error hl7.fhir.us.udap-security_1.0.0,292,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"When an ID Token has been returned and validated, the data holder SHOULD use the ID Token to attempt to match the authenticated user to a user or role in its own system, as appropriate for the resources requested.",SHOULD,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,293,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"the data holder can attempt to map the pair (`iss`,`sub`) to a known users in the data holder’s system.",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,294,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder has previously performed this mapping or has otherwise bound the pair (`iss`,`sub`) to a local user or role, it MAY rely on this previous mapping for subsequent authentications",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,295,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,the data holder MAY interact with the user following the redirection from the IdP back to the data holder’s redirection URI to increase confidence in the [role] resolution process.,MAY,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_unauthenticated_user_error -hl7.fhir.us.udap-security_1.0.0,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,3.6.07,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_unauthenticated_user_error +hl7.fhir.us.udap-security_1.0.0,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,3.7.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_user_authorization diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb index 7e3a059..ea3e5ee 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb @@ -1,35 +1,51 @@ module UDAPSecurityTestKit class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test - title 'Complies with B2B Authorization Extension Object' + title 'Complies with requirements for the B2B Flow and Authorization Extension Object' id :udap_security_b2b_authorization_extension_object description %( - Client applications complies with requirements for the B2B Authorization Extension Object and: + Client application complies with requirements for the B2B Flow and Authorization Extension Object and: - Includes `subject_name` parameter if it is known for human or non-human requestors. - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present. - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm. - - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party + - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party. - Omits `consent_reference` if `consent_policy` is not present. + - Ensures that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor. + - Omits the `extensions` claim for client apps using the `authorization_code` flow. + - Includes the `subject_role` value if known for human requestors when the `subject_name` parameter is + present, and for US Realm, uses values/formats constrained by trust communities (preferably from the + NUCC Provider Taxonomy Code Set). + - Includes the `organization_id` value, using a URI scheme defined by the trust community. ) - verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@203', + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@187', + 'hl7.fhir.us.udap-security_1.0.0@199', + 'hl7.fhir.us.udap-security_1.0.0@203', 'hl7.fhir.us.udap-security_1.0.0@204', 'hl7.fhir.us.udap-security_1.0.0@205', 'hl7.fhir.us.udap-security_1.0.0@206', 'hl7.fhir.us.udap-security_1.0.0@207', + 'hl7.fhir.us.udap-security_1.0.0@208', + 'hl7.fhir.us.udap-security_1.0.0@213', 'hl7.fhir.us.udap-security_1.0.0@219', 'hl7.fhir.us.udap-security_1.0.0@220', 'hl7.fhir.us.udap-security_1.0.0@221' input :b2b_authorization_extension_object_compliance, - title: 'Complies with requirements for the B2B Authorization Extension Object', + title: 'Complies with requirements for the B2B Flow and Authorization Extension Object', description: %( - I attest that the client applications complies with requirements for the B2B Authorization Extension Object - and: + I attest that the client application complies with requirements for the B2B Flow and Authorization + Extension Object and: - Includes `subject_name` parameter if it is known for human or non-human requestors. - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present. - - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US - Realm. - - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party + - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the + US Realm. + - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party. - Omits `consent_reference` if `consent_policy` is not present. + - Ensures that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor. + - Omits the `extensions` claim for client apps using the `authorization_code` flow. + - Includes the `subject_role` value if known for human requestors when the `subject_name` parameter is + present, and for US Realm, uses values/formats constrained by trust communities (preferably from the + NUCC Provider Taxonomy Code Set). + - Includes the `organization_id` value, using a URI scheme defined by the trust community. ), type: 'radio', default: 'false', diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb new file mode 100644 index 0000000..fde0ee4 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb @@ -0,0 +1,44 @@ +module UDAPSecurityTestKit + class CryptographicAlgorithmsAndSecurityProtocolsAttestationTest < Inferno::Test + title 'supports the RS256 signature algorithm' + id :udap_security_crypto_algorithms_and_protocols + description %( + Client application supports the RS256 signature algorithm as defined in as defined in + [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) for UDAP workflows. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@4' + + input :crypto_algorithms_and_protocols_compliance, + title: 'Supports the RS256 signature algorithm', + description: %( + I attest that the client application supports the RS256 signature algorithm as defined in as defined in + [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) for UDAP workflows. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + + input :crypto_algorithms_and_protocols_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert crypto_algorithms_and_protocols_compliance == 'true', + 'Client application did not comply with cryptographic algorithms and security protocols requirements + (RS256 support).' + pass crypto_algorithms_and_protocols_compliance_note if crypto_algorithms_and_protocols_compliance_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb new file mode 100644 index 0000000..c1694c9 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb @@ -0,0 +1,50 @@ +module UDAPSecurityTestKit + class OAuth2ProtocolComplianceAttestationTest < Inferno::Test + title 'Complies with OAuth 2.0 Protocol Requirements' + id :udap_security_oauth2_protocol_compliance + description %( + Client application complies with OAuth 2.0 protocol requirements: + - Ignores unrecognized response parameters in the authorization response when receiveing an response to an + authorization request. + - Follows the token request and response protocol as defined in RFC 6749 Sections 4.1.3 and 4.1.4 when + authenticating with a shared secret. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@139', + 'hl7.fhir.us.udap-security_1.0.0@162' + + input :oauth2_protocol_compliance, + title: 'Complies with OAuth 2.0 Protocol Requirements', + description: %( + I attest that the client application complies with OAuth 2.0 protocol requirements: + - Ignores unrecognized response parameters in the authorization response when receiveing an response to an + authorization request. + - Follows the token request and response protocol as defined in RFC 6749 Sections 4.1.3 and 4.1.4 when + authenticating with a shared secret. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + + input :oauth2_protocol_compliance_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert oauth2_protocol_compliance == 'true', + 'Client application did not comply with OAuth 2.0 protocol requirements.' + pass oauth2_protocol_compliance_note if oauth2_protocol_compliance_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb new file mode 100644 index 0000000..ba0e866 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb @@ -0,0 +1,45 @@ +module UDAPSecurityTestKit + class ResourceHolderTokenEndpointAuthenticationAttestationTest < Inferno::Test + title 'Authenticates to IdP Token Endpoint' + id :udap_security_resource_holder_token_endpoint_authentication + description %( + The Resource authenticates to the IdP’s token endpoint when requesting an ID token + and access token, as detailed in Section 5 of UDAP JWT-based Client Authentication. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@281' + + input :resource_holder_token_endpoint_authentication, + title: 'Authenticates to IdP Token Endpoint', + description: %( + I attest that the Resource Holder authenticates to the IdP’s token endpoint when requesting an ID token + and access token, as detailed in Section 5 of UDAP JWT-based Client Authentication. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { + label: 'Yes', + value: 'true' + }, + { + label: 'No', + value: 'false' + } + ] + } + + input :resource_holder_token_endpoint_authentication_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert resource_holder_token_endpoint_authentication == 'true', + 'Resource Holder did not authenticate to the IdP’s token endpoint as required.' + if resource_holder_token_endpoint_authentication_note.present? + pass resource_holder_token_endpoint_authentication_note + end + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb index 89c949d..b25472a 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb @@ -1,12 +1,16 @@ require_relative 'client/client_authorization_code_usage_test' require_relative 'client/b2b_authorization_extension_object_test' require_relative 'client/client_security_csrf_protection_test' +require_relative 'client/cryptographic_algorithms_test' +require_relative 'client/data_holder_auth_request_scope_test' +require_relative 'client/idp_authentication_compliance_test' require_relative 'client/idp_supports_required_scopes_test' require_relative 'client/jti_reuse_prevention_test' require_relative 'client/metadata_interpretation_test' +require_relative 'client/oauth2_protocol_compliance_test' require_relative 'client/preferred_identity_provider_test' require_relative 'client/private_key_authentication_test' -require_relative 'client/scopes_identity_provider_interaction_test' +require_relative 'client/resource_holder_authentication_test' require_relative 'client/software_statement_registration_test' require_relative 'client/token_request_authentication_test' require_relative 'client/trust_community_query_parameters_test' @@ -23,16 +27,20 @@ class ClientAttestationGroup < Inferno::TestGroup run_as_group test from: :udap_security_client_auth_code_usage + test from: :udap_security_crypto_algorithms_and_protocols test from: :udap_security_idp_supports_scopes test from: :udap_security_jti_reuse_prevention test from: :udap_security_metadata_interpretation test from: :udap_security_preferred_idp test from: :udap_security_private_key_authentication test from: :udap_security_token_request_authentication + test from: :udap_security_oauth2_protocol_compliance + test from: :udap_security_resource_holder_token_endpoint_authentication test from: :udap_security_software_statement_registration test from: :udap_security_b2b_authorization_extension_object test from: :udap_security_client_security_csrf_protection - test from: :udap_security_scopes_identity_provider_interaction + test from: :udap_security_data_holder_auth_request_scope + test from: :udap_security_idp_authentication_compliance test from: :udap_security_validation_confidentiality test from: :udap_security_trust_community_query_parameters end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb new file mode 100644 index 0000000..7f730c3 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb @@ -0,0 +1,13 @@ +require_relative 'authentication_requests_group/authentication_request_construction_test' +require_relative 'authentication_requests_group/authentication_request_validation_test' + +module UDAPSecurityTestKit + class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup + id :udap_server_v100_authentication_requests_group + title 'Authentication Requests' + + run_as_group + test from: :oidc_auth_request_construction + test from: :udap_security_access_token_request_validation + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb similarity index 83% rename from lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb rename to lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb index 6370a79..c32b656 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_construction_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb @@ -6,6 +6,7 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test Authorization Server complies ith OpenID Connect requirements and ensures: - HTTP GET and POST methods are supported at the Authorization Endpoint. - The `openid` scope value is included in requests. + - A `scope` parameter is present and contains the `openid` scope value on an authentication request - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. - The `redirect_uri` exactly matches pre-registered values. ) @@ -14,14 +15,16 @@ class AuthenticationRequestConstructionAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@248', 'hl7.fhir.us.udap-security_1.0.0@249', 'hl7.fhir.us.udap-security_1.0.0@250', - 'hl7.fhir.us.udap-security_1.0.0@251' + 'hl7.fhir.us.udap-security_1.0.0@251', + 'hl7.fhir.us.udap-security_1.0.0@259' input :auth_request_construction_correct, - title: 'OpenID Connect Authentication Requests: Complies with OpenID Connect requirements', + title: 'Authentication Requests: Complies with OpenID Connect requirements', description: %( I attest that the Authorization Server complies with OpenID Connect requirements and ensures: - HTTP GET and POST methods are supported at the Authorization Endpoint. - The `openid` scope value is included in requests. + - A `scope` parameter is present and contains the `openid` scope value on an authentication request - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid. - The `redirect_uri` exactly matches pre-registered values. ), diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb similarity index 92% rename from lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb rename to lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb index 984d065..faf98b2 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group/authentication_request_validation_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb @@ -1,6 +1,6 @@ module UDAPSecurityTestKit class AuthenticationRequestValidationAttestationTest < Inferno::Test - title 'OpenID Connect Authentication Requests: Complies with OpenID Connect requirements in validation' + title 'Complies with OpenID Connect requirements in validation' id :oidc_auth_request_validation description %( Authorization Server complies with OpenID Connect requirements and ensures: @@ -23,7 +23,7 @@ class AuthenticationRequestValidationAttestationTest < Inferno::Test 'hl7.fhir.us.udap-security_1.0.0@269' input :auth_request_validation_correct, - title: 'OpenID Connect Authentication Requests: Complies with OpenID Connect requirements in validation', + title: 'Authentication Requests: Complies with OpenID Connect requirements in validation', description: %( I attest that the Authorization Server complies with OpenID Connect requirements and ensures: - Validation of all OAuth 2.0 parameters. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb index 61bcb51..f2461cf 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb @@ -1,6 +1,7 @@ require_relative 'authorization_code_token_requests_group/authorization_code_usage_test' require_relative 'authorization_code_token_requests_group/access_token_request_validation_test' require_relative 'authorization_code_token_requests_group/access_token_lifetime_test' +require_relative 'authorization_code_token_requests_group/resource_holder_authorization_flow_test' module UDAPSecurityTestKit class AuthorizationCodeTokenRequestsAttestationGroup < Inferno::TestGroup @@ -11,5 +12,6 @@ class AuthorizationCodeTokenRequestsAttestationGroup < Inferno::TestGroup test from: :udap_security_auth_code_usage test from: :udap_security_access_token_request_validation test from: :udap_security_access_token_lifetime + test from: :udap_security_authorization_code_flow end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb new file mode 100644 index 0000000..d027f17 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb @@ -0,0 +1,37 @@ +module UDAPSecurityTestKit + class AuthorizationCodeFlowAttestationTest < Inferno::Test + title 'Resource Holder uses the authorization code flow' + id :udap_security_authorization_code_flow + description %( + The Resource Holder uses the authorization code flow when redirecting the user + to the IdP’s authorization endpoint. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@253' + + input :authorization_code_flow_correct, + title: 'Authorization Code and Token Requests: Resource Holder uses authorization code flow', + description: %( + I attest that the Resource Holder uses the authorization code flow when redirecting + the user to the IdP’s authorization endpoint. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :authorization_code_flow_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert authorization_code_flow_correct == 'true', + 'Resource Holder does not use the authorization code flow when redirecting the user to the + IdP’s authorization endpoint.' + pass authorization_code_flow_note if authorization_code_flow_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb new file mode 100644 index 0000000..c463bef --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb @@ -0,0 +1,13 @@ +require_relative 'client_authentication_group/client_certificate_storage_test' +require_relative 'client_authentication_group/no_client_credentials_native_apps_test' + +module UDAPSecurityTestKit + class ClientAuthenticationGroup < Inferno::TestGroup + id :udap_server_v100_client_authentication_group + title 'Client Authentication and Credential Management' + + run_as_group + test from: :udap_security_client_certificate_storage + test from: :udap_security_no_client_credentials_native_apps + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb new file mode 100644 index 0000000..c294697 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb @@ -0,0 +1,36 @@ +module UDAPSecurityTestKit + class ClientCertificateStorageAttestationTest < Inferno::Test + title 'Authorization Server stores client certificate for authentication' + id :udap_security_client_certificate_storage + description %( + The Authorization Server stores the certificate provided by the Client for + use in validating subsequent client authentication attempts. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@112' + + input :client_certificate_storage_correct, + title: 'Client Authentication: Authorization Server stores client certificate', + description: %( + I attest that the Authorization Server stores the certificate provided by the Client for + use in validating subsequent client authentication attempts. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :client_certificate_storage_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert client_certificate_storage_correct == 'true', + 'Authorization Server does not store the client certificate for use in subsequent authentication attempts.' + pass client_certificate_storage_note if client_certificate_storage_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb new file mode 100644 index 0000000..8f1873f --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb @@ -0,0 +1,38 @@ +module UDAPSecurityTestKit + class NoClientCredentialsForNativeAppsAttestationTest < Inferno::Test + title 'Does not issue client credentials to native/user-agent-based apps' + id :udap_security_no_client_credentials_native_apps + description %( + The Authorization Server does not issue client passwords or other client + credentials to native application or user-agent-based application clients for the + purpose of client authentication. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@287' + + input :no_client_credentials_native_apps_correct, + title: 'Client Authentication: Does not issue client credentials to native/user-agent-based apps', + description: %( + I attest that the Authorization Server does not issue client passwords or other client + credentials to native application or user-agent-based application clients for the + purpose of client authentication. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :no_client_credentials_native_apps_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert no_client_credentials_native_apps_correct == 'true', + 'Authorization Server issues client credentials to native or user-agent-based application clients.' + pass no_client_credentials_native_apps_note if no_client_credentials_native_apps_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb index 76d3732..cdece37 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb @@ -1,5 +1,9 @@ +require_relative 'error_handling_group/deny_token_request_test' +require_relative 'error_handling_group/general_error_response_test' require_relative 'error_handling_group/invalid_id_token_test' +require_relative 'error_handling_group/invalid_idp_test' require_relative 'error_handling_group/invalid_redirection_uri_test' +require_relative 'error_handling_group/prompt_none_test' require_relative 'error_handling_group/state_mismatch_test' require_relative 'error_handling_group/unauthenticated_user_test' require_relative 'error_handling_group/valid_state_error_response_test' @@ -10,10 +14,14 @@ class ErrorHandlingAttestationGroup < Inferno::TestGroup title 'Error Handling' run_as_group + test from: :udap_security_invalid_idp_error test from: :udap_security_invalid_id_token_error + test from: :udap_security_deny_token_request + test from: :udap_security_prompt_none_error test from: :udap_security_invalid_redirection_uri test from: :udap_security_state_mismatch_error test from: :udap_security_unauthenticated_user_error test from: :udap_security_valid_state_error_response + :udap_security_general_error_response end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb new file mode 100644 index 0000000..e49cf9a --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb @@ -0,0 +1,42 @@ +module UDAPSecurityTestKit + class DenyTokenRequestAttestationTest < Inferno::Test + title 'Denies token request that cannot be validated from x5c parameter' + id :udap_security_deny_token_request + description %( + Authorization Server denies the token request if: + - JWT signature cannot be validated using the public key from the x5c parameter. + - A trusted certificate chain cannot be built and validated from the x5c parameter. + - Required parameter is missing or a parameter is invalid. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@174', + 'hl7.fhir.us.udap-security_1.0.0@176', + 'hl7.fhir.us.udap-security_1.0.0@183' + + input :deny_token_request, + title: 'Error Handling: Denies token request that cannot be validated from x5c parameter', + description: %( + I attest that the Authorization Server denies the token request if: + - JWT signature cannot be validated using the public key from the x5c parameter. + - A trusted certificate chain cannot be built and validated from the x5c parameter. + - Required parameter is missing or a parameter is invalid. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :deny_token_request_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert deny_token_request == 'true', + 'Authorization Server does not deny the token request when parameter(s) are invalid.' + pass deny_token_request_note if deny_token_request_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb new file mode 100644 index 0000000..c91d5cd --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb @@ -0,0 +1,39 @@ +module UDAPSecurityTestKit + class GeneralErrorResponseAttestationTest < Inferno::Test + title 'Returns error response on authentication request errors' + id :udap_security_general_error_response + description %( + Authorization Server returns an error response if it encounters any error while validating + an authentication request, as per + [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation). + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@264' + + input :general_error_response_handling_correct, + title: 'Error Handling: Returns error response on authentication request errors', + description: %( + I attest that the Authorization Server returns an error response if it encounters any + error while validating an authentication request, as per + [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation). + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :general_error_response_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert general_error_response_handling_correct == 'true', + 'Authorization Server does not return an error response when it encounters an error + while validating an authentication request.' + pass general_error_response_handling_note if general_error_response_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb new file mode 100644 index 0000000..7f3cdf5 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb @@ -0,0 +1,39 @@ +module UDAPSecurityTestKit + class InvalidIdpErrorAttestationTest < Inferno::Test + title 'Handles invalid_idp error correctly' + id :udap_security_invalid_idp_error + description %( + Data Holder returns an error response with the `invalid_idp` extension error code + when the IdP is rejected, as per + [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1). + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@241' + + input :invalid_idp_error_handling_correct, + title: 'Error Handling: Handles invalid_idp error correctly', + description: %( + I attest that the Data Holder returns an error response with the `invalid_idp` + extension error code when the IdP is rejected, as per + [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1). + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :invalid_idp_error_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert invalid_idp_error_handling_correct == 'true', + 'Data Holder does not return an error response with the `invalid_idp` extension error code when the + IdP is rejected.' + pass invalid_idp_error_handling_note if invalid_idp_error_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb new file mode 100644 index 0000000..dac237c --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb @@ -0,0 +1,39 @@ +module UDAPSecurityTestKit + class PromptNoneErrorAttestationTest < Inferno::Test + title 'Returns error for prompt=none when user not authenticated' + id :udap_security_prompt_none_error + description %( + Authorization Server returns an error if the authentication request contains prompt=none + and the End-User is not already authenticated or could not be silently authenticated. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@267', + 'hl7.fhir.us.udap-security_1.0.0@268' + + input :prompt_none_error_handling_correct, + title: 'Error Handling: Returns error for prompt=none when user not authenticated', + description: %( + I attest that the Authorization Server returns an error if the authentication + request contains prompt=none and the End-User is not already authenticated or + could not be silently authenticated. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :prompt_none_error_handling_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert prompt_none_error_handling_correct == 'true', + 'Authorization Server does not return an error for prompt=none when the End-User + is not authenticated or could not be silently authenticated.' + pass prompt_none_error_handling_note if prompt_none_error_handling_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb new file mode 100644 index 0000000..4715ebf --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb @@ -0,0 +1,19 @@ +require_relative 'jwt_security_group/jwt_certificate_chain_validation_test' +require_relative 'jwt_security_group/jwt_grant_parameter_validation_test' +require_relative 'jwt_security_group/jwt_jti_reuse_test' +require_relative 'jwt_security_group/jwt_signature_validation_test' +require_relative 'jwt_security_group/jwt_token_request_validation_test' + +module UDAPSecurityTestKit + class JWTSecurityGroup < Inferno::TestGroup + id :udap_server_v100_jwt_security_group + title 'JWT/Token Validation and Security' + + run_as_group + test from: :udap_security_jwt_token_request_validation + test from: :udap_security_jwt_signature_validation + test from: :udap_security_jwt_jti_reuse + test from: :udap_security_jwt_grant_parameter_validation + test from: :udap_security_jwt_certificate_chain_validation + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb new file mode 100644 index 0000000..d4e3b98 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb @@ -0,0 +1,36 @@ +module UDAPSecurityTestKit + class JwtCertificateChainValidationAttestationTest < Inferno::Test + title 'Builds and validates trusted certificate chain for x5c' + id :udap_security_jwt_certificate_chain_validation + description %( + The Authorization Server builds and validates a trusted certificate chain for the certificates in + the x5c parameter of the JOSE header on Authentication Tokens in token requests. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@176' + + input :jwt_certificate_chain_validation_correct, + title: 'JWT/Token Validation and Security: Builds and validates trusted certificate chain for x5c', + description: %( + I attest that the Authorization Server builds and validates a trusted certificate chain for the + certificates in the x5c parameter of the JOSE header on Authentication Tokens in token requests. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :jwt_certificate_chain_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jwt_certificate_chain_validation_correct == 'true', + 'The Authorization Server does not build and validate a trusted certificate chain for x5c certificates.' + pass jwt_certificate_chain_validation_note if jwt_certificate_chain_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb new file mode 100644 index 0000000..ef016b9 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb @@ -0,0 +1,36 @@ +module UDAPSecurityTestKit + class JwtGrantParameterValidationAttestationTest < Inferno::Test + title 'Authorization Server validates parameters per grant mechanism' + id :udap_security_jwt_grant_parameter_validation + description %( + The Authorization Server validates all other parameters in the token request as per the + requirements of the grant mechanism identified by the grant_type value. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@182' + + input :jwt_grant_parameter_validation_correct, + title: 'JWT/Token Validation and Security: Parameter validation per grant mechanism', + description: %( + I attest that the Authorization Server validates all other parameters in the token request + as per the requirements of the grant mechanism identified by the grant_type value. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :jwt_grant_parameter_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jwt_grant_parameter_validation_correct == 'true', + 'The Authorization Server does not validate parameters as required by the grant mechanism.' + pass jwt_grant_parameter_validation_note if jwt_grant_parameter_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb new file mode 100644 index 0000000..1520945 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb @@ -0,0 +1,35 @@ +module UDAPSecurityTestKit + class JwtJtiReuseAttestationTest < Inferno::Test + title 'Does not reuse JWT `jti` value before expiry' + id :udap_security_jwt_jti_reuse + description %( + The server does not reuse a `jti` value in another JWT before the time specified in the `exp` claim has passed. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@56' + + input :jwt_jti_reuse_correct, + title: 'JWT/Token Validation and Security: Does not reuse JWT `jti` value before expiry', + description: %( + I attest that the server does not reuse a `jti` value in another JWT before the time specified in the `exp` + claim has passed. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :jwt_jti_reuse_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jwt_jti_reuse_correct == 'true', + 'The server reuses a `jti` value in another JWT before the `exp` time has passed.' + pass jwt_jti_reuse_note if jwt_jti_reuse_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb new file mode 100644 index 0000000..86524ea --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb @@ -0,0 +1,36 @@ +module UDAPSecurityTestKit + class JwtSignatureValidationAttestationTest < Inferno::Test + title 'Validates JWT signature using public key from x5c parameter' + id :udap_security_jwt_signature_validation + description %( + The Authorization Server validates the digital signature on the Authentication Token using the public key + extracted from the first certificate in the x5c parameter of the JOSE header. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@173' + + input :jwt_signature_validation_correct, + title: 'JWT/Token Validation and Security: Validates JWT signature using public key from x5c parameter', + description: %( + I attest that the Authorization Server validates the digital signature on the Authentication Token + using the public key extracted from the first certificate in the x5c parameter of the JOSE header. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :jwt_signature_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jwt_signature_validation_correct == 'true', + 'The Authorization Server does not validate the JWT signature using the x5c public key.' + pass jwt_signature_validation_note if jwt_signature_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb new file mode 100644 index 0000000..b182a11 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb @@ -0,0 +1,43 @@ +module UDAPSecurityTestKit + class JwtTokenRequestValidationAttestationTest < Inferno::Test + title 'Validates and responds to token requests per UDAP JWT-Based Client Authentication' + id :udap_security_jwt_token_request_validation + description %( + The Authorization Server validates and responds to token requests containing Authentication Tokens + as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html). + ) + verifies_requirements( + 'hl7.fhir.us.udap-security_1.0.0@172', + 'hl7.fhir.us.udap-security_1.0.0@229' + ) + + input :jwt_token_request_validation_correct, + title: %( + JWT/Token Validation and Security: Validates and responds to token requests per UDAP JWT-Based + Client Authentication + ), + description: %( + I attest that the Authorization Server validates and responds to token requests containing + Authentication Tokens as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html). + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :jwt_token_request_validation_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert jwt_token_request_validation_correct == 'true', + 'The Authorization Server does not validate and respond to token requests as per UDAP JWT-Based + Client Authentication.' + pass jwt_token_request_validation_note if jwt_token_request_validation_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb deleted file mode 100644 index 0b1bf13..0000000 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/openid_connect_authentication_requests_group.rb +++ /dev/null @@ -1,13 +0,0 @@ -require_relative 'openid_connect_authentication_requests_group/authentication_request_construction_test' -require_relative 'openid_connect_authentication_requests_group/authentication_request_validation_test' - -module UDAPSecurityTestKit - class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup - id :udap_server_v100_openid_connect_authentication_requests_group - title 'OpenID Connect Authentication Requests' - - run_as_group - test from: :oidc_auth_request_construction - test from: :udap_security_access_token_request_validation - end -end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb index bb2a2c5..35ee8cf 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb @@ -1,4 +1,6 @@ require_relative 'security_measures_group/csrf_protection_test' +require_relative 'security_measures_group/state_parameter_test' +require_relative 'security_measures_group/obtain_authorization_scopes_test' require_relative 'security_measures_group/unauthenticated_client_security_test' module UDAPSecurityTestKit @@ -8,6 +10,8 @@ class SecurityMeasuresAttestationGroup < Inferno::TestGroup run_as_group test from: :udap_security_csrf_protection + test from: :udap_security_state_parameter_management test from: :udap_security_unauthenticated_clients + test from: :udap_security_user_authorization end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb index 6530ab1..dd846e1 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb @@ -1,19 +1,23 @@ module UDAPSecurityTestKit class CSRFProtectionAttestationTest < Inferno::Test - title 'Implements CSRF protection for the authorization endpoint' + title 'Implements CSRF and Clickjacking protection' id :udap_security_csrf_protection description %( - Authorization Server implements CSRF protection for its authorization endpoint, including mechanisms such as: + Authorization Server implements CSRF and Clickjacking protection as + described in [RFC6749](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749), + including: - Use of anti-CSRF tokens. - Validation of `state` parameter to prevent cross-site request forgery. ) - verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278' + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@278', + 'hl7.fhir.us.udap-security_1.0.0@269' input :csrf_protection_implemented, - title: 'Security Measures: Implements CSRF protection for the authorization endpoint', + title: 'Security Measures: Implements CSRF and Clickjacking protection', description: %( - I attest that the Authorization Server implements CSRF protection for its authorization endpoint, - including mechanisms such as: + I attest that the Authorization Server implements CSRF and Clickjacking protection as + described in [RFC6749](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749), + including: - Use of anti-CSRF tokens. - Validation of `state` parameter to prevent cross-site request forgery. ), @@ -38,7 +42,7 @@ class CSRFProtectionAttestationTest < Inferno::Test run do assert csrf_protection_implemented == 'true', - 'Authorization Server does not implement CSRF protection for its authorization endpoint.' + 'Authorization Server does not implement CSRF protection as described in RFC6749.' pass csrf_protection_note if csrf_protection_note.present? end end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb new file mode 100644 index 0000000..3cda305 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb @@ -0,0 +1,44 @@ +module UDAPSecurityTestKit + class ObtainAuthorizationScopesAttestationTest < Inferno::Test + title 'Obtains user authorization for requested scopes' + id :udap_security_user_authorization + description %( + Resource Holder, after mapping the authenticated user, obtains authorization from the user for the scopes + requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), + returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) + or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this + guide, for consumer-facing or B2B apps, respectively. + ) + verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@297' + + input :user_authorization_correct, + title: 'Security Measures: Obtains user authorization for requested scopes', + description: %( + I attest that the Resource Holder, after mapping the authenticated user, obtains authorization from the + user for the scopes requested by the client app, if such authorization is required, as per Section + [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow + defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) + or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of + this guide, for consumer-facing or B2B apps, respectively. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :user_authorization_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert user_authorization_correct == 'true', + 'Resource Holder does not obtain user authorization for the requested scopes after mapping the + authenticated user.' + pass user_authorization_note if user_authorization_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb new file mode 100644 index 0000000..432a372 --- /dev/null +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb @@ -0,0 +1,48 @@ +module UDAPSecurityTestKit + class StateParameterAttestationTest < Inferno::Test + title 'Manages state parameter securely' + id :udap_security_state_parameter_management + description %( + The Resource Holder: + - Generates its own random value for the state parameter (does not reuse the value provided by the Client App). + - Validates that the value of the state parameter in the query string matches the value it generated when the + user is redirected back from the IdP. + - Validates the value of the state parameter when receiving an error response from the IdP. + ) + verifies_requirements( + 'hl7.fhir.us.udap-security_1.0.0@254', + 'hl7.fhir.us.udap-security_1.0.0@255', + 'hl7.fhir.us.udap-security_1.0.0@270', + 'hl7.fhir.us.udap-security_1.0.0@272' + ) + + input :state_parameter_management_correct, + title: 'Security Measures: Manages state parameter securely', + description: %( + I attest that the Resource Holder: + - Generates its own random value for the state parameter and does not reuse the value provided by the + Client App. + - Validates that the value of the state parameter in the query string matches the value it generated + when the user is redirected back from the IdP. + - Validates the value of the state parameter when receiving an error response from the IdP. + ), + type: 'radio', + default: 'false', + options: { + list_options: [ + { label: 'Yes', value: 'true' }, + { label: 'No', value: 'false' } + ] + } + input :state_parameter_management_note, + title: 'Notes, if applicable:', + type: 'textarea', + optional: true + + run do + assert state_parameter_management_correct == 'true', + 'Resource Holder does not properly generate or validate the state parameter as required.' + pass state_parameter_management_note if state_parameter_management_note.present? + end + end +end diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb index 2877475..8273118 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb @@ -1,11 +1,13 @@ require_relative 'server/metadata_server_capabilities_group' +require_relative 'server/client_authentication_group' require_relative 'server/dynamic_client_registration_group' require_relative 'server/authorization_code_token_requests_group' -require_relative 'server/openid_connect_authentication_requests_group' +require_relative 'server/authentication_requests_group' require_relative 'server/id_token_access_token_validation_group' require_relative 'server/error_handling_group' require_relative 'server/security_measures_group' require_relative 'server/identity_provider_interaction_group' +require_relative 'server/jwt_security_group' module UDAPSecurityTestKit class ServerAttestationGroup < Inferno::TestGroup @@ -19,10 +21,12 @@ class ServerAttestationGroup < Inferno::TestGroup group from: :udap_server_v100_metadata_server_capabilities_group group from: :udap_server_v100_dynamic_client_registration_group group from: :udap_server_v100_authorization_code_token_requests_group - group from: :udap_server_v100_openid_connect_authentication_requests_group + group from: :udap_server_v100_authentication_requests_group group from: :udap_server_v100_id_token_access_token_validation_group group from: :udap_server_v100_error_handling_group group from: :udap_server_v100_security_measures_group + group from: :udap_server_v100_client_authentication_group + group from: :udap_server_v100_jwt_security_group group from: :udap_server_v100_identity_provider_interaction_group end end From 67f7f74c3ce3a67354efc28661af332af5bf20ec Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Wed, 16 Jul 2025 23:35:18 -0400 Subject: [PATCH 11/13] Updated requirements file --- .../udap_security_requirements_coverage.csv | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv index e108824..4d79ab8 100644 --- a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +++ b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv @@ -93,11 +93,11 @@ hl7.fhir.us.udap-security_1.0.0,134,https://datatracker.ietf.org/doc/html/rfc674 hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage hl7.fhir.us.udap-security_1.0.0,138,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"[When responding to an authorization request i]f the resource owner grants the access request… the `state` parameter [is] `REQUIRED`if the ""state"" parameter was present in the client authorization request",SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received -hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" -hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" hl7.fhir.us.udap-security_1.0.0,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange -hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" -hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,3.9.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_token_request_validation hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,3.9.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_signature_validation hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request @@ -115,18 +115,18 @@ hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/u hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,3.6.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_redirection_uri hl7.fhir.us.udap-security_1.0.0,243,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP ... the data holder MAY attempt to authenticate the user with a different trusted IdP or its own IdP, and MAY interact with the user to determine a suitable alternative",MAY,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.10.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_authentication_request -hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction -hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction -hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction -hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction -hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction -hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_openid_connect_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction +hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,252,https://www.udap.org/udap-user-auth-stu1.html,"[When UDAP Tiered OAuth for User Authentication is being requested] If... [the “openid” and “udap”] scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow.",SHOULD NOT,server,,,,"","" hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,3.3.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_authorization_code_flow hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,"","" +hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request.",SHALL,Server,,,,"","" hl7.fhir.us.udap-security_1.0.0,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,"","" From f5dbf9a70fb5c9b16ccb02dd15917ce87c476d17 Mon Sep 17 00:00:00 2001 From: Christine Duong Date: Thu, 17 Jul 2025 14:00:27 -0400 Subject: [PATCH 12/13] Fixed test id --- .../udap_security_requirements_coverage.csv | 30 +++++++++---------- .../server/authentication_requests_group.rb | 2 +- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv index 4d79ab8..c3318de 100644 --- a/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +++ b/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv @@ -93,11 +93,11 @@ hl7.fhir.us.udap-security_1.0.0,134,https://datatracker.ietf.org/doc/html/rfc674 hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage hl7.fhir.us.udap-security_1.0.0,138,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"[When responding to an authorization request i]f the resource owner grants the access request… the `state` parameter [is] `REQUIRED`if the ""state"" parameter was present in the client authorization request",SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received -hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" -hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation +hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation hl7.fhir.us.udap-security_1.0.0,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange -hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" -hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"3.3.02, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-udap_security_access_token_request_validation" +hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation +hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,3.9.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_token_request_validation hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,3.9.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_signature_validation hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request @@ -125,18 +125,18 @@ hl7.fhir.us.udap-security_1.0.0,252,https://www.udap.org/udap-user-auth-stu1.htm hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,3.3.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_authorization_code_flow hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management -hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction -hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,263,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When an id_token_hint is present [on an authentication request], the OP MUST validate that it was the issuer of the ID Token.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,"","" -hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error +hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,"3.4.01, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation" +hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request.",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,263,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When an id_token_hint is present [on an authentication request], the OP MUST validate that it was the issuer of the ID Token.",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation +hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"3.4.02, 3.6.04","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error" hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error -hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,3.7.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection +hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,"3.4.02, 3.7.01","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection" hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,3.6.06,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_state_mismatch_error hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb index 7f730c3..dc066cc 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb @@ -8,6 +8,6 @@ class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup run_as_group test from: :oidc_auth_request_construction - test from: :udap_security_access_token_request_validation + test from: :oidc_auth_request_validation end end From 64b75d64564ece218ff781c4979e1ebeabb15cd1 Mon Sep 17 00:00:00 2001 From: Lizzie Charbonneau Date: Mon, 21 Jul 2025 14:49:22 -0400 Subject: [PATCH 13/13] made attestation tests optional --- .../client_attestation_group.rb | 1 + .../server_attestation_group.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb index b25472a..b0b2d4c 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb @@ -20,6 +20,7 @@ module UDAPSecurityTestKit class ClientAttestationGroup < Inferno::TestGroup id :udap_client_v100_visual_inspection_and_attestation title 'Visual Inspection and Attestation' + optional description <<~DESCRIPTION Perform visual inspections or attestations to ensure that the Client is conformant to the UDAP IG requirements. diff --git a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb index 8273118..dbc699a 100644 --- a/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb +++ b/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb @@ -13,6 +13,7 @@ module UDAPSecurityTestKit class ServerAttestationGroup < Inferno::TestGroup id :udap_server_v100_visual_inspection_and_attestation title 'Visual Inspection and Attestation' + optional description <<~DESCRIPTION Perform visual inspections or attestations to ensure that the Server is conformant to the UDAP IG requirements.