onc_certification_g10_test_kit 6.0.3 → 7.0.0

data/lib/onc_certification_g10_test_kit/smart_ehr_practitioner_app_group.rb

@@ -129,6 +129,30 @@ module ONCCertificationG10TestKit
            }
     end
 
+    group from: :smart_discovery_stu2_2 do # rubocop:disable Naming/VariableNumber
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+
+      test from: 'g10_smart_well_known_capabilities',
+           config: {
+             options: {
+               required_capabilities: [
+                 'launch-ehr',
+                 'client-confidential-symmetric',
+                 'client-confidential-asymmetric',
+                 'sso-openid-connect',
+                 'context-banner',
+                 'context-style',
+                 'context-ehr-patient',
+                 'permission-offline',
+                 'permission-user',
+                 'authorize-post',
+                 'permission-v2',
+                 'permission-v1'
+               ]
+             }
+           }
+    end
+
     group from: :smart_ehr_launch do
       required_suite_options(G10Options::SMART_1_REQUIREMENT)
 
@@ -206,6 +230,16 @@ module ONCCertificationG10TestKit
            },
            required_suite_options: G10Options::US_CORE_6_REQUIREMENT
 
+      test from: :g10_encounter_context,
+           id: :g10_encounter_context_us_core_7, # rubocop:disable Naming/VariableNumber
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: G10Options::US_CORE_7_REQUIREMENT
+
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
         description %(
@@ -362,6 +396,182 @@ module ONCCertificationG10TestKit
            },
            required_suite_options: G10Options::US_CORE_6_REQUIREMENT
 
+      test from: :g10_encounter_context,
+           id: :g10_encounter_context_us_core_7, # rubocop:disable Naming/VariableNumber
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: G10Options::US_CORE_7_REQUIREMENT
+
+      test do
+        title 'Launch context contains smart_style_url which links to valid JSON'
+        description %(
+          In order to mimic the style of the SMART host more closely, SMART apps
+          can check for the existence of this launch context parameter and
+          download the JSON file referenced by the URL value.
+        )
+        uses_request :token
+        id :g10_smart_style_url
+
+        run do
+          skip_if request.status != 200, 'No token response received'
+          assert_valid_json response[:body]
+
+          body = JSON.parse(response[:body])
+
+          assert body['smart_style_url'].present?,
+                 'Token response did not contain `smart_style_url`'
+
+          get(body['smart_style_url'])
+
+          assert_response_status(200)
+          assert_valid_json(response[:body])
+        end
+      end
+
+      test do
+        title 'Launch context contains need_patient_banner'
+        description %(
+          `need_patient_banner` is a boolean value indicating whether the app
+          was launched in a UX context where a patient banner is required (when
+          true) or not required (when false).
+        )
+        uses_request :token
+        id :g10_smart_need_patient_banner
+
+        run do
+          skip_if request.status != 200, 'No token response received'
+          assert_valid_json response[:body]
+
+          body = JSON.parse(response[:body])
+
+          assert body.key?('need_patient_banner'),
+                 'Token response did not contain `need_patient_banner`'
+        end
+      end
+
+      tests[2].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :auth_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+
+      tests[5].config(
+        outputs: {
+          incorrectly_permitted_tls_versions_messages: {
+            name: :token_incorrectly_permitted_tls_versions_messages
+          }
+        }
+      )
+    end
+
+    group from: :smart_ehr_launch_stu2_2, # rubocop:disable Naming/VariableNumber
+          config: {
+            inputs: {
+              use_pkce: {
+                default: 'true',
+                locked: true
+              },
+              pkce_code_challenge_method: {
+                locked: true
+              },
+              authorization_method: {
+                name: :ehr_authorization_method,
+                default: 'post',
+                locked: true
+              }
+            }
+          } do
+      required_suite_options(G10Options::SMART_2_2_REQUIREMENT)
+
+      title 'EHR Launch With Practitioner Scope'
+      input :client_secret,
+            name: :ehr_client_secret,
+            title: 'EHR Launch Client Secret',
+            description: 'Client Secret provided during registration of Inferno as an EHR launch application',
+            optional: false
+
+      config(
+        inputs: {
+          requested_scopes: {
+            default: %(
+              launch openid fhirUser offline_access user/Medication.rs
+              user/AllergyIntolerance.rs user/CarePlan.rs user/CareTeam.rs
+              user/Condition.rs user/Device.rs user/DiagnosticReport.rs
+              user/DocumentReference.rs user/Encounter.rs user/Goal.rs
+              user/Immunization.rs user/Location.rs user/MedicationRequest.rs
+              user/Observation.rs user/Organization.rs user/Patient.rs
+              user/Practitioner.rs user/Procedure.rs user/Provenance.rs
+              user/PractitionerRole.rs
+            ).gsub(/\s{2,}/, ' ').strip
+          }
+        }
+      )
+
+      test from: :g10_smart_scopes do
+        title 'User-level access with OpenID Connect and Refresh Token scopes used.'
+        config(
+          inputs: {
+            requested_scopes: { name: :ehr_requested_scopes },
+            received_scopes: { name: :ehr_received_scopes }
+          },
+          options: {
+            scope_version: :v22,
+            required_scope_type: 'user',
+            required_scopes: ['openid', 'fhirUser', 'launch', 'offline_access']
+          }
+        )
+      end
+
+      test from: :g10_unauthorized_access,
+           config: {
+             inputs: {
+               patient_id: { name: :ehr_patient_id }
+             }
+           }
+
+      test from: :g10_patient_context,
+           config: {
+             inputs: {
+               patient_id: { name: :ehr_patient_id },
+               access_token: { name: :ehr_access_token }
+             }
+           }
+
+      test from: :g10_encounter_context,
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: G10Options::US_CORE_5_REQUIREMENT
+
+      test from: :g10_encounter_context,
+           id: :g10_encounter_context_us_core_6, # rubocop:disable Naming/VariableNumber
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: G10Options::US_CORE_6_REQUIREMENT
+
+      test from: :g10_encounter_context,
+           id: :g10_encounter_context_us_core_7, # rubocop:disable Naming/VariableNumber
+           config: {
+             inputs: {
+               encounter_id: { name: :ehr_encounter_id },
+               access_token: { name: :ehr_access_token }
+             }
+           },
+           required_suite_options: G10Options::US_CORE_7_REQUIREMENT
+
       test do
         title 'Launch context contains smart_style_url which links to valid JSON'
         description %(
@@ -427,6 +637,30 @@ module ONCCertificationG10TestKit
     end
 
     group from: :smart_openid_connect,
+          required_suite_options: G10Options::SMART_1_REQUIREMENT,
+          config: {
+            inputs: {
+              id_token: { name: :ehr_id_token },
+              client_id: { name: :ehr_client_id },
+              requested_scopes: { name: :ehr_requested_scopes },
+              smart_credentials: { name: :ehr_smart_credentials }
+            }
+          }
+
+    group from: :smart_openid_connect,
+          required_suite_options: G10Options::SMART_2_REQUIREMENT,
+          id: :smart_openid_connect_stu2,
+          config: {
+            inputs: {
+              id_token: { name: :ehr_id_token },
+              client_id: { name: :ehr_client_id },
+              requested_scopes: { name: :ehr_requested_scopes },
+              smart_credentials: { name: :ehr_smart_credentials }
+            }
+          }
+
+    group from: :smart_openid_connect_stu2_2, # rubocop:disable Naming/VariableNumber
+          required_suite_options: G10Options::SMART_2_2_REQUIREMENT,
           config: {
             inputs: {
               id_token: { name: :ehr_id_token },

data/lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_group_stu2_2.rb

@@ -0,0 +1,188 @@
+module ONCCertificationG10TestKit
+  class SmartFineGrainedScopesGroupSTU22 < USCoreTestKit::USCoreV610::SmartGranularScopesGroup
+    title 'SMART App Launch with fine-grained scopes'
+    short_title 'SMART Launch with Fine-Grained Scopes'
+
+    input_instructions %(
+      If necessary, register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Inferno may be registered multiple times with different `client_ids`, or this
+      may reuse a single registration of Inferno.`
+
+      This test will perform two launches, with each launch requiring a separate
+      separate set of finer-grained scopes to be granted:
+
+      Group 1:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|encounter-diagnosis`
+      * `Condition.rs?category=http://hl7.org/fhir/us/core/CodeSystem/condition-category|health-concern`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|laboratory`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|social-history`
+
+      Group 2:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|problem-list-item`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|survey`
+      * `Observation.rs?category=http://hl7.org/fhir/us/core/CodeSystem/us-core-category|sdoh`
+    )
+
+    description <<~DESCRIPTION
+
+      As finalized in the [HTI-1 Final Rule](https://www.federalregister.gov/d/2023-28857/p-1250), Health IT Modules are
+      required to support SMART App Launch v2.0.0 "Finer-grained resource
+      constraints using search parameters" for the "category" parameter for the
+      Condition resource with Condition sub-resources Encounter Diagnosis, Problem
+      List, and Health Concern, and the Observation resource with Observation
+      sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
+      Vital Signs.
+
+      This is also reflected in the (g)(10) Standardized API for patient and
+      populations [Test
+      Procedure](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure):
+
+      > [AUT-PAT-28] SMART v2 scope syntax for patient-level and user-level scopes to support
+        the “permission-v2” “SMART on FHIR® Capability”, including support for
+        finer-grained resource constraints using search parameters according to
+        section 3.0.2.3 of the implementation specification at § 170.215(c)(2) for
+        the “category” parameter for the following resources: (1) Condition
+        resource with Condition sub-resources Encounter Diagnosis, Problem List,
+        and Health Concern; and (2) Observation resource with Observation
+        sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
+        Vital Signs
+
+      Prior to running this scenario, first run the Single Patient API tests using
+      resource-level scopes, as this scenario uses content saved from that scenario
+      as a baseline for comparison when finer-grained scopes are granted.
+
+      This scenario contains two groups of finer-grained scope tests, each of
+      which includes a SMART Standalone Launch that requests a subset of
+      finer-grained scopes, followed by FHIR API requests to verify that scopes
+      are appropriately granted. The app launches require that the subset of the
+      requested finer-grained scopes are granted by the user. The FHIR API tests then repeat all
+      of the queries from the original Single Patient API tests that were run
+      using resource-level scopes, and verify that only resources matching the
+      current finer-grained scopes are returned. Each group requires a separate
+      set of finer-grained scopes to be granted:
+
+      Group 1:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|encounter-diagnosis`
+      * `Condition.rs?category=http://hl7.org/fhir/us/core/CodeSystem/condition-category|health-concern`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|laboratory`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|social-history`
+
+      Group 2:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|problem-list-item`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|survey`
+      * `Observation.rs?category=http://hl7.org/fhir/us/core/CodeSystem/us-core-category|sdoh`
+
+      Note that Inferno will only request the finer grained scopes in each case,
+      but the system under test can display more scopes to the tester during
+      authorization.  In this case, it is expected that the tester will only
+      approve the appropriate scopes in each group as described above.
+
+      For more information, please refer to [finer-grained resource constraints
+      using search
+      parameters](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#finer-grained-resource-constraints-using-search-parameters).
+
+    DESCRIPTION
+
+    id :g10_smart_fine_grained_scopes_stu2_2 # rubocop:disable Naming/VariableNumber
+
+    input :url
+
+    children.each(&:run_as_group)
+
+    # Replace generic finer-grained scope auth group with which allows standalone or
+    # ehr launch with just the standalone launch group
+    granular_scopes_group1 = children.first
+    granular_scopes_group1.children[0] = granular_scopes_group1.children.first.children[1]
+    standalone_launch_group1 = granular_scopes_group1.children[0]
+    standalone_launch_group1.required
+
+    granular_scopes_group2 = children.last
+    granular_scopes_group2.children[0] = granular_scopes_group2.children.first.children[1]
+    standalone_launch_group2 = granular_scopes_group2.children[0]
+    standalone_launch_group2.required
+
+    # Move the granular scope API groups to the top level
+    api_group1 = granular_scopes_group1.children.pop
+    api_group1.children.each do |group|
+      group.children.select!(&:required?)
+      granular_scopes_group1.children << group
+    end
+
+    api_group2 = granular_scopes_group2.children.pop
+    api_group2.children.each do |group|
+      group.children.select!(&:required?)
+      granular_scopes_group2.children << group
+    end
+
+    # Remove OIDC and refresh token tests
+    standalone_launch_group1.children.pop(2)
+    standalone_launch_group2.children.pop(2)
+
+    config(
+      inputs: {
+        authorization_method: {
+          name: :granular_scopes_authorization_method,
+          title: 'Granular Scopes Authorization Request Method'
+        },
+        client_auth_type: {
+          name: :granular_scopes_client_auth_type,
+          title: 'Granular Scopes Client Authentication Type'
+        },
+        received_scopes: {
+          name: :standalone_received_scopes
+        }
+      }
+    )
+
+    granular_scopes_group1.config(
+      inputs: {
+        client_id: {
+          name: :granular_scopes1_client_id,
+          title: 'Granular Scopes Group 1 Client ID'
+        },
+        client_secret: {
+          name: :granular_scopes1_client_secret,
+          title: 'Granular Scopes Group 1 Client Secret'
+        },
+        requested_scopes: {
+          title: 'Granular Scopes Group 1 Scopes'
+        }
+      }
+    )
+
+    granular_scopes_group2.config(
+      inputs: {
+        client_id: {
+          name: :granular_scopes2_client_id,
+          title: 'Granular Scopes Group 2 Client ID'
+        },
+        client_secret: {
+          name: :granular_scopes2_client_secret,
+          title: 'Granular Scopes Group 2 Client Secret'
+        },
+        requested_scopes: {
+          title: 'Granular Scopes Group 2 Scopes'
+        }
+      }
+    )
+
+    input_order :url,
+                :granular_scopes1_client_id,
+                :requested_scopes_group1,
+                :granular_scopes_authorization_method,
+                :granular_scopes_client_auth_type,
+                :granular_scopes1_client_secret,
+                :client_auth_encryption_method,
+                :granular_scopes2_client_id,
+                :requested_scopes_group2,
+                :granular_scopes2_client_secret,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :patient_ids
+  end
+end

data/lib/onc_certification_g10_test_kit/smart_fine_grained_scopes_us_core_7_group.rb

@@ -0,0 +1,188 @@
+module ONCCertificationG10TestKit
+  class SmartFineGrainedScopesUSCore7Group < USCoreTestKit::USCoreV700::SmartGranularScopesGroup
+    title 'SMART App Launch with fine-grained scopes'
+    short_title 'SMART Launch with Fine-Grained Scopes'
+
+    input_instructions %(
+      If necessary, register Inferno as a standalone application using the following information:
+
+      * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}`
+
+      Inferno may be registered multiple times with different `client_ids`, or this
+      may reuse a single registration of Inferno.`
+
+      This test will perform two launches, with each launch requiring a separate
+      separate set of finer-grained scopes to be granted:
+
+      Group 1:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|encounter-diagnosis`
+      * `Condition.rs?category=http://hl7.org/fhir/us/core/CodeSystem/condition-category|health-concern`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|laboratory`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|social-history`
+
+      Group 2:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|problem-list-item`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|survey`
+      * `Observation.rs?category=http://hl7.org/fhir/us/core/CodeSystem/us-core-category|sdoh`
+    )
+
+    description <<~DESCRIPTION
+
+      As finalized in the [HTI-1 Final Rule](https://www.federalregister.gov/d/2023-28857/p-1250), Health IT Modules are
+      required to support SMART App Launch v2.0.0 "Finer-grained resource
+      constraints using search parameters" for the "category" parameter for the
+      Condition resource with Condition sub-resources Encounter Diagnosis, Problem
+      List, and Health Concern, and the Observation resource with Observation
+      sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
+      Vital Signs.
+
+      This is also reflected in the (g)(10) Standardized API for patient and
+      populations [Test
+      Procedure](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#test_procedure):
+
+      > [AUT-PAT-28] SMART v2 scope syntax for patient-level and user-level scopes to support
+        the “permission-v2” “SMART on FHIR® Capability”, including support for
+        finer-grained resource constraints using search parameters according to
+        section 3.0.2.3 of the implementation specification at § 170.215(c)(2) for
+        the “category” parameter for the following resources: (1) Condition
+        resource with Condition sub-resources Encounter Diagnosis, Problem List,
+        and Health Concern; and (2) Observation resource with Observation
+        sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
+        Vital Signs
+
+      Prior to running this scenario, first run the Single Patient API tests using
+      resource-level scopes, as this scenario uses content saved from that scenario
+      as a baseline for comparison when finer-grained scopes are granted.
+
+      This scenario contains two groups of finer-grained scope tests, each of
+      which includes a SMART Standalone Launch that requests a subset of
+      finer-grained scopes, followed by FHIR API requests to verify that scopes
+      are appropriately granted. The app launches require that the subset of the
+      requested finer-grained scopes are granted by the user. The FHIR API tests then repeat all
+      of the queries from the original Single Patient API tests that were run
+      using resource-level scopes, and verify that only resources matching the
+      current finer-grained scopes are returned. Each group requires a separate
+      set of finer-grained scopes to be granted:
+
+      Group 1:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|encounter-diagnosis`
+      * `Condition.rs?category=http://hl7.org/fhir/us/core/CodeSystem/condition-category|health-concern`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|laboratory`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|social-history`
+
+      Group 2:
+      * `Condition.rs?category=http://terminology.hl7.org/CodeSystem/condition-category|problem-list-item`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`
+      * `Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|survey`
+      * `Observation.rs?category=http://hl7.org/fhir/us/core/CodeSystem/us-core-category|sdoh`
+
+      Note that Inferno will only request the finer grained scopes in each case,
+      but the system under test can display more scopes to the tester during
+      authorization.  In this case, it is expected that the tester will only
+      approve the appropriate scopes in each group as described above.
+
+      For more information, please refer to [finer-grained resource constraints
+      using search
+      parameters](https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#finer-grained-resource-constraints-using-search-parameters).
+
+    DESCRIPTION
+
+    id :g10_us_core_7_smart_fine_grained_scopes
+
+    input :url
+
+    children.each(&:run_as_group)
+
+    # Replace generic finer-grained scope auth group with which allows standalone or
+    # ehr launch with just the standalone launch group
+    granular_scopes_group1 = children.first
+    granular_scopes_group1.children[0] = granular_scopes_group1.children.first.children.first
+    standalone_launch_group1 = granular_scopes_group1.children[0]
+    standalone_launch_group1.required
+
+    granular_scopes_group2 = children.last
+    granular_scopes_group2.children[0] = granular_scopes_group2.children.first.children.first
+    standalone_launch_group2 = granular_scopes_group2.children[0]
+    standalone_launch_group2.required
+
+    # Move the granular scope API groups to the top level
+    api_group1 = granular_scopes_group1.children.pop
+    api_group1.children.each do |group|
+      group.children.select!(&:required?)
+      granular_scopes_group1.children << group
+    end
+
+    api_group2 = granular_scopes_group2.children.pop
+    api_group2.children.each do |group|
+      group.children.select!(&:required?)
+      granular_scopes_group2.children << group
+    end
+
+    # Remove OIDC and refresh token tests
+    standalone_launch_group1.children.pop(2)
+    standalone_launch_group2.children.pop(2)
+
+    config(
+      inputs: {
+        authorization_method: {
+          name: :granular_scopes_authorization_method,
+          title: 'Granular Scopes Authorization Request Method'
+        },
+        client_auth_type: {
+          name: :granular_scopes_client_auth_type,
+          title: 'Granular Scopes Client Authentication Type'
+        },
+        received_scopes: {
+          name: :standalone_received_scopes
+        }
+      }
+    )
+
+    granular_scopes_group1.config(
+      inputs: {
+        client_id: {
+          name: :granular_scopes1_client_id,
+          title: 'Granular Scopes Group 1 Client ID'
+        },
+        client_secret: {
+          name: :granular_scopes1_client_secret,
+          title: 'Granular Scopes Group 1 Client Secret'
+        },
+        requested_scopes: {
+          title: 'Granular Scopes Group 1 Scopes'
+        }
+      }
+    )
+
+    granular_scopes_group2.config(
+      inputs: {
+        client_id: {
+          name: :granular_scopes2_client_id,
+          title: 'Granular Scopes Group 2 Client ID'
+        },
+        client_secret: {
+          name: :granular_scopes2_client_secret,
+          title: 'Granular Scopes Group 2 Client Secret'
+        },
+        requested_scopes: {
+          title: 'Granular Scopes Group 2 Scopes'
+        }
+      }
+    )
+
+    input_order :url,
+                :granular_scopes1_client_id,
+                :requested_scopes_group1,
+                :granular_scopes_authorization_method,
+                :granular_scopes_client_auth_type,
+                :granular_scopes1_client_secret,
+                :client_auth_encryption_method,
+                :granular_scopes2_client_id,
+                :requested_scopes_group2,
+                :granular_scopes2_client_secret,
+                :use_pkce,
+                :pkce_code_challenge_method,
+                :patient_ids
+  end
+end