davinci_dtr_test_kit 0.10.0 → 0.11.1

data/lib/davinci_dtr_test_kit/docs/dtr_smart_app_suite_description_v201.md

@@ -52,35 +52,50 @@ validated with the Java validator using `tx.fhir.org` as the terminology server.
 
 ### Quick Start
 
-Inferno does not currently include the ability to launch the client. Therefore, clients
-must be manually configured to point to Inferno's simulated server endpoints. The endpoints
-can be inferred from the URL of the test session which will be of the form `[URL prefix]/dtr_smart_app/[session id]`: (NOTE: both currently use the same URL)
-- Payer Server Base FHIR URL: `[URL prefix]/custom/dtr_smart_app/fhir`
-- Light EHR Base FHIR URL: `[URL prefix]/custom/dtr_smart_app/fhir`
-
-In order for Inferno to associate requests sent to locations under these base URLs with this session,
-it needs to know the bearer token that the app will send on requests, for which 
-there are two options.
-
-1. If you want to choose your own bearer token, then
-    1. Select the "2. Basic Workflows" test from the list on the left (or other target test). 
-    2. Click the '*Run All Tests*' button on the right.
-    3. In the "access_token" field, enter the bearer token that will be sent by the client 
-       under test (as part of the Authorization header - `Bearer <provided value>`).
-    4. Click the '*Submit*' button at the bottom of the dialog.
-2. If you want to use a client_id to obtain an access token, then
-    1. Click the '*Run All Tests*' button on the right.
-    2. Provide the client's registered id "client_id" field of the input (NOTE, Inferno doesn't support the
-        registration API, so this must be obtained from another system or configured manually).
-    3. Click the '*Submit*' button at the bottom of the dialog.
-    4. Make a token request that includes the specified client id to the
-        `[URL prefix]/custom/dtr_smart_app/mock_auth/token` endpoint to get
-        an access token to use on the request of the requests.
-
-In either case, the tests will continue from that point. Further executions of tests under
-this session will also use the selected bearer token.
-
-Note: authentication options for these tests have not been finalized and are subject to change.
+This test suite can be run in two modes, each described below:
+1. [EHR launch mode](#ehr-launch)
+2. [Standalone launch mode](#standalone-launch)
+
+At this time, Inferno's simulation of the payer server that provides the questionnaires
+uses the same base server url and access token, and apps will need to be configured to
+connect to it as well. See the "Combined payer and EHR FHIR servers" section below for details.
+
+The DTR specification allows apps and their partners significant leeway in terms of
+what information is provided on launch and how that information gets used by the app
+to determine the `$questionnaire-package` endpoint and what details to submit as a
+part of that operation. Inferno cannot know ahead of time what data needs to be
+available for the app under test to successfully request, pre-populate, and render 
+a questionnaire. See the "`fhirContext` and available instances"
+section below for details on how to enable Inferno to meet the needs of your application.
+
+#### EHR Launch
+
+In this mode Inferno will launch the app under test using the SMART App Launch
+[EHR launch](https://hl7.org/fhir/smart-app-launch/STU2.1/app-launch.html#launch-app-ehr-launch)
+flow. 
+
+The tester must provide
+1. a `client_id`: can be any string and will uniquely identify the testing session.
+2. a `launch_uri`: will be used by Inferno to generate a link to launch the app under test.
+
+All the details needed to access clinical data from Inferno's simulated EHR are provided
+as a part of the SMART flow, including 
+- the FHIR base server URL to request data from
+- a bearer token to provide on all requests
+
+#### Standalone Launch
+
+In this mode the app under test will launch and on its own and reach out to Inferno to
+begin the workflow as described in the 
+[standalone launch section](https://hl7.org/fhir/smart-app-launch/STU2.1/app-launch.html#launch-app-standalone-launch).
+
+The tester must provide
+1. a `client_id`: can be any string and will uniquely identify the testing session.
+
+The app will then need to connect to Inferno as directed to initiate the SMART and DTR
+workflow. The FHIR base server url that app will connect to is 
+`[URL prefix]/custom/dtr_smart_app/fhir` where `[URL prefix]` comes from the URL of the
+test session which will be of the form `[URL prefix]/dtr_smart_app/[session id]`
 
 ### Postman-based Demo
 
@@ -90,26 +105,75 @@ to make requests against Inferno. This does not include the capability to render
 questionnaires, but does have samples of correctly and incorrectly completed QuestionnaireResponses.
 The following is a list of tests with the Postman requests that can be used with them:
 
-- **2.1** *Static Questionnaire Workflow*: use requests in the `Static Dinner` folder
-  - **2.1.1.01** *Invoke the DTR Questionnaire Package operation*: submit request `Questionnaire Package for Dinner (Static)` while this test is waiting.
-  - **2.1.3.01** *Save the QuestionnaireResponse after completing it*: submit request `Save QuestionnaireResponse for Dinner (Static)` while this test is waiting. If you want to see a failure, submit request `Save QuestionnaireResponse for Dinner (Static) - missing origin extension` instead.
-- **3.1** *Respiratory Assist Device Questionnaire Workflow*: use requests in the `Respiratory Assist Device` folder
-  - **3.1.1.01** *Invoke the DTR Questionnaire Package operation*: submit request `Questionnaire Package for Resp Assist Device` while this test is waiting.
-  - **3.1.3.01** *Save the QuestionnaireResponse after completing it*: submit request `Save Questionnaire Response for Resp Assist Device` while this test is waiting. If you want to see a failure, submit request `Save Questionnaire Response for Resp Assist Device - unexpected override` instead.
+- **Standalone launch sequence**: use requests in the `SMART App Launch` folder during 
+  tests **1.1.1.01** or **2.1.1.01** to simulate the SMART Launch flow and obtain an access
+  token to use for subsequent requests. See the collection's Overview for details on the
+  access token's generation.
+- **1.1** *Static Questionnaire Workflow*: use requests in the `Static Dinner` folder
+  - **1.1.1.01** *Invoke the DTR Questionnaire Package operation*: submit request `Questionnaire Package for Dinner (Static)` while this test is waiting.
+  - **1.1.3.01** *Save the QuestionnaireResponse after completing it*: submit request `Save QuestionnaireResponse for Dinner (Static)` while this test is waiting. If you want to see a failure, submit request `Save QuestionnaireResponse for Dinner (Static) - missing origin extension` instead.
+- **2.1** *Respiratory Assist Device Questionnaire Workflow*: use requests in the `Respiratory Assist Device` folder
+  - **2.1.1.01** *Invoke the DTR Questionnaire Package operation*: submit request `Questionnaire Package for Resp Assist Device` while this test is waiting.
+  - **2.1.3.01** *Save the QuestionnaireResponse after completing it*: submit request `Save Questionnaire Response for Resp Assist Device` while this test is waiting. If you want to see a failure, submit request `Save Questionnaire Response for Resp Assist Device - unexpected override` instead.
+
+## Configuration Details
+
+### `fhirContext` and available instances
+
+Once they have launched, DTR SMART Apps obtain details that drive their retrieval of questionnaires
+and relevant clinical data from the payer and the EHR from [context that is passed with
+the access token](https://hl7.org/fhir/smart-app-launch/STU2.1/scopes-and-launch-context.html)
+provided by the EHR. Inferno cannot know ahead of time what information to provide and
+what instances to make available to direct the app under test to request and render a
+particular questionnaire.
+
+Therefore, use of this test suite requests that the tester provide this information so that the
+app can demonstrate its capabilities based on whatever business logic is present. These tests
+currently support two context parameters that contain references to instance in the EHR and provides
+testers with a way to provide those instances to Inferno so it can serve them to the app. These are
+controlled by the following inputs present on each group associated with a questionnaire:
+
+- **SMART App Launch Patient ID**: provide an `id` for the subject Patient FHIR instance.
+- **SMART App Launch `fhirContext`**: provide a JSON object containing FHIR references to instances
+  relevant to the DTR workflow, e.g. 
+  
+  ```
+  [{reference: 'Coverage/cov015'}, {reference: 'DeviceRequest/devreqe0470'}]
+  ``` 
+  This will be included under the `fhirContext` key of the token response.
+- **EHR-available resources**: provide a Bundle containing FHIR instances referenced in and from the
+  previous two inputs. Each instance must include an `id` element that Inferno will use in conjunction
+  with the `resourceType` to make the instances available at the `[server base url]/[resourceType]/[id]`.
+
+Each questionnaire workflow group description includes a link to the questionnaire package that Inferno will return
+(e.g., [here](https://github.com/inferno-framework/davinci-dtr-test-kit/blob/main/lib/davinci_dtr_test_kit/fixtures/dinner_static/questionnaire_dinner_order_static.json))
+where you can find `id` and `url` values and any other details needed to determine what inputs 
+will allow the app under test to work with that questionnaire. Note additionally that Inferno will always
+return that questionnaire in response to `$questionnaire-package` requests made during that test.
+
+These inputs can be cumbersome to create and if you have suggestions about how to improve this process
+while keeping the flexibility of Inferno to run with any app, submit a ticket 
+[here](https://github.com/inferno-framework/davinci-pas-test-kit/issues).
 
 ## Limitations
 
-The DTR IG is a complex specification and these tests currently validate SMART app
-configuration to only part of it. Future versions of the test suite will test further
+The DTR IG is a complex specification and these tests currently validate conformance to only
+a subset of IG requirements. Future versions of the test suite will test further
 features. A few specific features of interest are listed below.
 
 ### Launching and security
 
-The primary limitation on this test suite is that it requires the client under test
-to be manually configured to point to the Inferno endpoints and send a bearer token. 
-In the future, the tests will provide a mechanism for launching the application using
-the SMART app launch mechanism. To provide feedback and input on the design of this feature,
-submit a ticket [here](https://github.com/inferno-framework/davinci-pas-test-kit/issues).
+This test kit contains basic SMART App Launch cabilities that may not be complete. In particular,
+refresh tokens are not currently supported and scopes are not precise. To provide feedback and 
+input on the design of this feature and help us priortize improvements, submit a ticket 
+[here](https://github.com/inferno-framework/davinci-pas-test-kit/issues).
+
+### Combined payer and EHR FHIR servers
+
+At this time, the test suite simulates a single FHIR server that uses the same access token
+for both the payer server and the EHR server. Apps under test must use the FHIR server base url
+and access token identified during the SMART App Launch sequence when making requests
+to retrieve questionnaires.
 
 ### Questionnaire Feature Coverage
 

data/lib/davinci_dtr_test_kit/dtr_full_ehr_suite.rb

@@ -55,11 +55,12 @@ module DaVinciDTRTestKit
 
     allow_cors QUESTIONNAIRE_PACKAGE_PATH
 
-    record_response_route :post, TOKEN_PATH, 'dtr_auth', method(:token_response) do |request|
-      DTRFullEHRSuite.extract_client_id(request)
+    record_response_route :post, PAYER_TOKEN_PATH, 'dtr_full_ehr_payer_token',
+                          method(:payer_token_response) do |request|
+      DTRFullEHRSuite.extract_client_id_from_form_params(request)
     end
 
-    record_response_route :post, '/fhir/Questionnaire/$questionnaire-package', QUESTIONNAIRE_PACKAGE_TAG,
+    record_response_route :post, QUESTIONNAIRE_PACKAGE_PATH, QUESTIONNAIRE_PACKAGE_TAG,
                           method(:questionnaire_package_response) do |request|
       DTRFullEHRSuite.extract_bearer_token(request)
     end

data/lib/davinci_dtr_test_kit/dtr_payer_server_suite.rb

@@ -5,10 +5,12 @@ require_relative 'payer_server_groups/payer_server_static_group'
 require_relative 'payer_server_groups/payer_server_adaptive_group'
 require_relative 'tags'
 require_relative 'mock_payer'
+require_relative 'mock_auth_server'
 require_relative 'version'
 
 module DaVinciDTRTestKit
   class DTRPayerServerSuite < Inferno::TestSuite
+    extend MockAuthServer
     extend MockPayer
 
     id :dtr_payer_server
@@ -104,16 +106,16 @@ module DaVinciDTRTestKit
 
     allow_cors QUESTIONNAIRE_PACKAGE_PATH, NEXT_PATH
 
-    record_response_route :post, TOKEN_PATH, 'dtr_auth', method(:token_response) do |request|
-      DTRPayerServerSuite.extract_client_id(request)
+    record_response_route :post, PAYER_TOKEN_PATH, 'dtr_payer_auth', method(:payer_token_response) do |request|
+      DTRPayerServerSuite.extract_client_id_from_form_params(request)
     end
 
-    record_response_route :post, '/fhir/Questionnaire/$questionnaire-package', QUESTIONNAIRE_TAG,
+    record_response_route :post, QUESTIONNAIRE_PACKAGE_PATH, QUESTIONNAIRE_TAG,
                           method(:payer_questionnaire_response), resumes: method(:test_resumes?) do |request|
       DTRPayerServerSuite.extract_bearer_token(request)
     end
 
-    record_response_route :post, '/fhir/Questionnaire/$next-question', NEXT_TAG,
+    record_response_route :post, NEXT_PATH, NEXT_TAG,
                           method(:questionnaire_next_response), resumes: method(:test_resumes?) do |request|
       DTRPayerServerSuite.extract_bearer_token(request)
     end

data/lib/davinci_dtr_test_kit/dtr_questionnaire_response_validation.rb

@@ -36,6 +36,16 @@ module DaVinciDTRTestKit
       validate_cql_executed(questionnaire_response.item, questionnaire_cql_expression_link_ids,
                             template_prepopulation_expectations, template_override_expectations, validation_errors)
 
+      if template_prepopulation_expectations.size.positive?
+        validation_errors << 'Items expected to be pre-populated not found: ' \
+                             "#{template_prepopulation_expectations.keys.join(', ')}"
+      end
+
+      if template_override_expectations.size.positive?
+        validation_errors << 'Items expected to be pre-poplated and overridden not found: ' \
+                             "#{template_override_expectations.keys.join(', ')}"
+      end
+
       validation_errors.each { |msg| messages << { type: 'error', message: msg } }
       assert validation_errors.blank?, 'QuestionnaireResponse is not conformant. Check messages for issues found.'
     end
@@ -47,10 +57,11 @@ module DaVinciDTRTestKit
         link_id = item_to_validate.linkId
         if questionnaire_cql_expression_link_ids.include?(link_id)
           if template_prepopulation_expectations.key?(link_id)
-            check_item_prepopulation(item_to_validate, template_prepopulation_expectations[link_id], error_messages,
-                                     false)
+            check_item_prepopulation(item_to_validate, template_prepopulation_expectations.delete(link_id),
+                                     error_messages, false)
           elsif template_override_expectations.include?(link_id)
-            check_item_prepopulation(item_to_validate, template_override_expectations[link_id], error_messages, true)
+            check_item_prepopulation(item_to_validate, template_override_expectations.delete(link_id), error_messages,
+                                     true)
           else
             raise "template missing expectation for question `#{link_id}`"
           end
@@ -84,11 +95,10 @@ module DaVinciDTRTestKit
           raise "Template QuestionnaireResponse item `#{target_link_id}` missing the `origin.source` extension"
         end
 
-        # TODO: handle other data types
         if source_extension.value == 'auto'
-          expected_prepopulated[target_link_id] = target_item_answer.value
+          expected_prepopulated[target_link_id] = target_item_answer
         elsif source_extension.value == 'override'
-          expected_overrides[target_link_id] = target_item_answer.value
+          expected_overrides[target_link_id] = target_item_answer
         else
           raise "`origin.source` extension for item `#{target_link_id}` has unexpected value: #{source_extension.value}"
         end
@@ -114,12 +124,12 @@ module DaVinciDTRTestKit
       answer = item.answer.first
       if answer&.value&.present?
         # check answer
-        if override && answer.value == expected_answer
+        if override && answer_value_equal?(expected_answer, answer)
           error_list << "Answer to item `#{item.linkId}` was not overriden from the pre-populated value. " \
                         "Found #{expected_answer}, but should be different"
-        elsif !override && answer.value != expected_answer
-          error_list << "answer to item `#{item.linkId}` contains unexpected value. Expected: #{expected_answer}. " \
-                        "Found #{answer.value}"
+        elsif !override && !answer_value_equal?(expected_answer, answer)
+          error_list << "answer to item `#{item.linkId}` contains unexpected value. Expected: \
+          #{value_for_display(expected_answer)}. Found #{value_for_display(answer)}"
         end
 
         # check origin.source extension
@@ -176,5 +186,11 @@ module DaVinciDTRTestKit
     def coding_equal?(expected, actual)
       expected.system == actual&.system && expected.code == actual&.code
     end
+
+    def value_for_display(answer)
+      return "#{answer.value&.system}|#{answer.value&.code}" if answer.valueCoding.present?
+
+      answer.value
+    end
   end
 end

data/lib/davinci_dtr_test_kit/dtr_smart_app_suite.rb

@@ -11,8 +11,9 @@ require_relative 'version'
 
 module DaVinciDTRTestKit
   class DTRSmartAppSuite < Inferno::TestSuite
-    extend MockPayer
+    extend MockAuthServer
     extend MockEHR
+    extend MockPayer
 
     id :dtr_smart_app
     title 'Da Vinci DTR SMART App Test Suite'
@@ -48,43 +49,64 @@ module DaVinciDTRTestKit
       end
     end
 
-    allow_cors QUESTIONNAIRE_PACKAGE_PATH, QUESTIONNAIRE_RESPONSE_PATH, FHIR_RESOURCE_PATH, FHIR_SEARCH_PATH
+    allow_cors QUESTIONNAIRE_PACKAGE_PATH, QUESTIONNAIRE_RESPONSE_PATH, FHIR_RESOURCE_PATH, FHIR_SEARCH_PATH,
+               EHR_AUTHORIZE_PATH, EHR_TOKEN_PATH
 
     route(:get, '/fhir/metadata', method(:metadata_handler))
 
-    record_response_route :post, TOKEN_PATH, 'dtr_auth', method(:token_response) do |request|
-      DTRSmartAppSuite.extract_client_id(request)
+    route(:get, SMART_CONFIG_PATH, method(:ehr_smart_config))
+
+    record_response_route :get, EHR_AUTHORIZE_PATH, 'dtr_smart_app_ehr_authorize', method(:ehr_authorize),
+                          resumes: ->(_) { false } do |request|
+      DTRSmartAppSuite.extract_client_id_from_query_params(request)
+    end
+
+    record_response_route :post, EHR_AUTHORIZE_PATH, 'dtr_smart_app_ehr_authorize', method(:ehr_authorize),
+                          resumes: ->(_) { false } do |request|
+      DTRSmartAppSuite.extract_client_id_from_form_params(request)
+    end
+
+    record_response_route :post, EHR_TOKEN_PATH, 'dtr_smart_app_ehr_token', method(:ehr_token_response),
+                          resumes: ->(_) { false } do |request|
+      DTRSmartAppSuite.extract_client_id_from_token_request(request)
+    end
+
+    record_response_route :post, PAYER_TOKEN_PATH, 'dtr_smart_app_payer_token',
+                          method(:payer_token_response) do |request|
+      DTRSmartAppSuite.extract_client_id_from_client_assertion(request)
     end
 
     record_response_route :post, QUESTIONNAIRE_PACKAGE_PATH, QUESTIONNAIRE_PACKAGE_TAG,
                           method(:questionnaire_package_response), resumes: ->(_) { false } do |request|
-      DTRSmartAppSuite.extract_bearer_token(request)
+      DTRSmartAppSuite.extract_client_id_from_bearer_token(request)
     end
 
     record_response_route :post, QUESTIONNAIRE_RESPONSE_PATH, 'dtr_smart_app_questionnaire_response',
                           method(:questionnaire_response_response) do |request|
-      DTRSmartAppSuite.extract_bearer_token(request)
+      DTRSmartAppSuite.extract_client_id_from_bearer_token(request)
     end
 
     record_response_route :get, FHIR_RESOURCE_PATH, SMART_APP_EHR_REQUEST_TAG, method(:get_fhir_resource),
                           resumes: ->(_) { false } do |request|
-      DTRSmartAppSuite.extract_bearer_token(request)
+      DTRSmartAppSuite.extract_client_id_from_bearer_token(request)
     end
 
     record_response_route :get, FHIR_SEARCH_PATH, SMART_APP_EHR_REQUEST_TAG, method(:get_fhir_resource),
                           resumes: ->(_) { false } do |request|
-      DTRSmartAppSuite.extract_bearer_token(request)
+      DTRSmartAppSuite.extract_client_id_from_bearer_token(request)
     end
 
     resume_test_route :get, RESUME_PASS_PATH do |request|
-      DTRSmartAppSuite.extract_token_from_query_params(request)
+      DTRSmartAppSuite.extract_client_id_from_query_params(request)
     end
 
     resume_test_route :get, RESUME_FAIL_PATH, result: 'fail' do |request|
-      DTRSmartAppSuite.extract_token_from_query_params(request)
+      DTRSmartAppSuite.extract_client_id_from_query_params(request)
     end
 
-    group from: :oauth2_authentication
+    # TODO: Update based on SMART Launch changes. Do we even want to have this group now?
+    # group from: :oauth2_authentication
+
     group do
       id :dtr_smart_app_basic_workflows
       title 'Basic Workflows'

data/lib/davinci_dtr_test_kit/fixtures/dinner_adaptive/dinner_order_adaptive_next_question_hamburger.json

@@ -153,7 +153,7 @@
             },
             {
               "valueCoding": {
-                "code": "Pickels"
+                "code": "Pickles"
               }
             },
             {

data/lib/davinci_dtr_test_kit/fixtures/dinner_static/questionnaire_dinner_order_static.json

@@ -7,6 +7,7 @@
       "resource": {
         "resourceType": "Questionnaire",
         "id": "DinnerOrderStatic",
+        "url": "urn:inferno:dtr-test-kit:dinner-order-static",
         "meta": {
           "profile": [
             "http://hl7.org/fhir/StructureDefinition/cqf-questionnaire",
@@ -21,7 +22,6 @@
         ],
         "name": "DinnerOrderStatic",
         "title": "Dinner Order (Static)",
-        "url": "urn:inferno:dtr-test-kit:dinner-order-static",
         "status": "draft",
         "subjectType": [
           "Patient"
@@ -156,7 +156,7 @@
                   },
                   {
                     "valueCoding": {
-                      "code": "Pickels"
+                      "code": "Pickles"
                     }
                   },
                   {

data/lib/davinci_dtr_test_kit/fixtures/questionnaire_package.json

@@ -5,6 +5,7 @@
       "resource": {
         "resourceType": "Questionnaire",
         "id": "RespiratoryAssistDevices",
+        "url": "urn:inferno:dtr-test-kit:respiratory-assist-devices",
         "meta": {
           "profile": [
             "http://hl7.org/fhir/StructureDefinition/cqf-questionnaire",
@@ -453,7 +454,6 @@
         ],
         "name": "RespiratoryAssistDevices",
         "title": "Respiratory Assist Device Questionnaire",
-        "url": "urn:fake",
         "status": "draft",
         "subjectType": [
           "Patient"

data/lib/davinci_dtr_test_kit/mock_auth_server.rb

@@ -0,0 +1,145 @@
+require_relative 'urls'
+require_relative 'fixtures'
+
+module DaVinciDTRTestKit
+  module MockAuthServer
+    include Fixtures
+
+    def ehr_smart_config(env)
+      protocol = env['rack.url_scheme']
+      host = env['HTTP_HOST']
+      path = env['REQUEST_PATH'] || env['PATH_INFO']
+      path.gsub!(%r{#{SMART_CONFIG_PATH}(/)?}, '')
+      base_url = "#{protocol}://#{host + path}"
+      response_body =
+        {
+          authorization_endpoint: base_url + EHR_AUTHORIZE_PATH,
+          token_endpoint: base_url + EHR_TOKEN_PATH,
+          token_endpoint_auth_methods_supported: ['private_key_jwt'],
+          token_endpoint_auth_signing_alg_values_supported: ['RS256'],
+          grant_types_supported: ['authorization_code'],
+          scopes_supported: ['launch', 'patient/*.rs', 'user/*.rs', 'offline_access'],
+          response_types_supported: ['code'],
+          code_challenge_methods_supported: ['S256'],
+          capabilities: [
+            'launch-ehr',
+            'permission-patient',
+            'permission-user',
+            'client-public',
+            'client-confidential-symmetric',
+            'client-confidential-asymmetric'
+          ]
+        }.to_json
+
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
+    end
+
+    def ehr_authorize(request, _test = nil, _test_result = nil)
+      # Authorization requests can bet GET or POST
+      params = request.verb == 'get' ? request.query_parameters : URI.decode_www_form(request.request_body)&.to_h
+      if params['redirect_uri'].present?
+        redirect_uri = "#{params['redirect_uri']}?" \
+                       "code=#{SecureRandom.hex}&" \
+                       "state=#{params['state']}"
+        request.status = 302
+        request.response_headers = { 'Location' => redirect_uri }
+      else
+        request.status = 400
+        request.response_headers = { 'Content-Type': 'application/json' }
+        request.response_body = FHIR::OperationOutcome.new(
+          issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'required',
+                                                   details: FHIR::CodeableConcept.new(
+                                                     text: 'No redirect_uri provided'
+                                                   ))
+        ).to_json
+      end
+    end
+
+    def ehr_token_response(request, _test = nil, test_result = nil)
+      client_id = extract_client_id_from_token_request(request)
+      token = JWT.encode({ inferno_client_id: client_id }, nil, 'none')
+      response = { access_token: token, token_type: 'bearer', expires_in: 3600 }
+      test_input = JSON.parse(test_result.input_json)
+
+      fhir_context_input = test_input.find { |input| input['name'] == 'smart_fhir_context' }
+      fhir_context_input_value = fhir_context_input['value'] if fhir_context_input.present?
+      begin
+        fhir_context = JSON.parse(fhir_context_input_value)
+      rescue StandardError
+        fhir_context = nil
+      end
+      response.merge!({ fhirContext: fhir_context }) if fhir_context
+
+      smart_patient_input = test_input.find { |input| input['name'] == 'smart_patient_id' }
+      smart_patient_input_value = smart_patient_input['value'] if smart_patient_input.present?
+      response.merge!({ patient: smart_patient_input_value }) if smart_patient_input_value
+
+      request.response_body = response.to_json
+      request.response_headers = { 'Access-Control-Allow-Origin' => '*' }
+      request.status = 200
+    end
+
+    def payer_token_response(request, _test = nil, _test_result = nil)
+      # Placeholder for a more complete mock token endpoint
+      request.response_body = { access_token: SecureRandom.hex, token_type: 'bearer', expires_in: 3600 }.to_json
+      request.status = 200
+    end
+
+    def extract_client_id_from_token_request(request)
+      # Public client || confidential client asymmetric || confidential client symmetric
+      extract_client_id_from_form_params(request) ||
+        extract_client_id_from_client_assertion(request) ||
+        extract_client_id_from_basic_auth(request)
+    end
+
+    def extract_client_id_from_form_params(request)
+      URI.decode_www_form(request.request_body).to_h['client_id']
+    end
+
+    def extract_client_id_from_client_assertion(request)
+      encoded_jwt = URI.decode_www_form(request.request_body).to_h['client_assertion']
+      return unless encoded_jwt.present?
+
+      jwt_payload =
+        begin
+          JWT.decode(encoded_jwt, nil, false)&.first # skip signature verification
+        rescue StandardError
+          nil
+        end
+
+      jwt_payload['iss'] || jwt_payload['sub'] if jwt_payload.present?
+    end
+
+    def extract_client_id_from_basic_auth(request)
+      encoded_credentials = request.request_header('Authorization')&.value&.split&.last
+      return unless encoded_credentials.present?
+
+      decoded_credentials = Base64.decode64(encoded_credentials)
+      decoded_credentials&.split(':')&.first
+    end
+
+    def extract_client_id_from_query_params(request)
+      request.query_parameters['client_id']
+    end
+
+    def extract_client_id_from_bearer_token(request)
+      token = extract_bearer_token(request)
+      jwt =
+        begin
+          JWT.decode(token, nil, false)
+        rescue StandardError
+          nil
+        end
+      jwt&.first&.dig('inferno_client_id')
+    end
+
+    # Header expected to be a bearer token of the form "Bearer: <token>"
+    def extract_bearer_token(request)
+      request.request_header('Authorization')&.value&.split&.last
+    end
+
+    def extract_token_from_query_params(request)
+      request.query_parameters['token']
+    end
+  end
+end