safire 0.1.0

data/docs/troubleshooting/index.md

@@ -0,0 +1,99 @@
+---
+layout: default
+title: Troubleshooting
+nav_order: 8
+has_children: true
+permalink: /troubleshooting/
+---
+
+# Troubleshooting
+
+{: .no_toc }
+
+<div class="code-example" markdown="1">
+Common issues and solutions when integrating SMART on FHIR with Safire.
+</div>
+
+## Table of contents
+{: .no_toc .text-delta }
+
+1. TOC
+{:toc}
+
+---
+
+## Error Types
+
+Safire raises typed errors so you can handle each failure category separately:
+
+| Error class | When raised |
+|-------------|-------------|
+| `Safire::Errors::ConfigurationError` | Missing or invalid client configuration — caught at construction time |
+| `Safire::Errors::DiscoveryError` | SMART metadata fetch failed (HTTP error, invalid JSON) |
+| `Safire::Errors::TokenError` | Token exchange or refresh failed (OAuth error, missing fields) |
+| `Safire::Errors::NetworkError` | Transport-level failure (connection refused, timeout, blocked redirect) |
+
+All Safire errors inherit from `Safire::Errors::Error`, so you can catch everything with a single rescue if needed.
+
+```ruby
+begin
+  tokens = client.request_access_token(code: code, code_verifier: verifier)
+rescue Safire::Errors::ConfigurationError => e
+  # Client misconfiguration — fix before retrying
+  Rails.logger.error("Configuration error: #{e.message}")
+  render plain: 'Server configuration error', status: :internal_server_error
+rescue Safire::Errors::TokenError => e
+  # OAuth error — e.status, e.error_code, e.error_description are all available
+  Rails.logger.error("Token error: #{e.message}")
+  redirect_to launch_path, alert: 'Authorization failed. Please try again.'
+rescue Safire::Errors::NetworkError => e
+  Rails.logger.error("Network error: #{e.message}")
+  render plain: 'Server temporarily unavailable', status: :service_unavailable
+end
+```
+
+---
+
+## Debugging
+
+### Enable detailed logging
+
+```ruby
+Safire.configure do |config|
+  config.logger    = Rails.logger
+  config.log_level = Logger::DEBUG
+end
+```
+
+HTTP request logging is on by default. Sensitive headers (`Authorization`) are always filtered. Request and response bodies are never logged.
+
+```
+INFO: request: POST https://fhir.example.com/token
+INFO: request: Authorization: [FILTERED]
+INFO: response: Status 200
+```
+
+To disable HTTP logging:
+
+```ruby
+Safire.configure { |c| c.log_http = false }
+```
+
+### Test against the SMART reference server
+
+```ruby
+# .env.development
+FHIR_BASE_URL=https://launch.smarthealthit.org/v/r4/sim/eyJoIjoiMSJ9/fhir
+```
+
+Visit [launch.smarthealthit.org](https://launch.smarthealthit.org) to configure simulated patients and launch contexts.
+
+---
+
+## Getting Help
+
+- **Check the logs first** — Safire logs one line per error with all relevant context
+- **Test endpoints manually** — `curl https://fhir.example.com/.well-known/smart-configuration`
+- **Open an issue** — [github.com/vanessuniq/safire/issues](https://github.com/vanessuniq/safire/issues)
+
+When reporting an issue, include: Safire version (`Safire::VERSION`), Ruby version, the error message and backtrace, and the server type if known. Never include credentials or tokens.

data/docs/troubleshooting/token-errors.md

@@ -0,0 +1,99 @@
+---
+layout: default
+title: Token and PKCE Errors
+parent: Troubleshooting
+nav_order: 2
+---
+
+# Token and PKCE Errors
+
+{: .no_toc }
+
+## Table of contents
+{: .no_toc .text-delta }
+
+1. TOC
+{:toc}
+
+---
+
+## Token Exchange Errors
+
+### `TokenError`: Token request failed
+
+```
+Safire::Errors::TokenError: Token request failed — HTTP 400 — invalid_grant — Authorization code has expired
+```
+
+Common OAuth error codes and their meaning:
+
+| `error_code` | Cause | Action |
+|--------------|-------|--------|
+| `invalid_grant` | Code expired or already used | Codes are single-use; the user must re-authorize |
+| `invalid_client` | Client ID or credentials not recognized | Verify registration and credentials |
+| `invalid_request` | Missing required parameter | Check `redirect_uri` matches exactly what was registered |
+| `unauthorized_client` | Client not authorized for this grant type | Verify server-side client configuration |
+
+The `redirect_uri` in the token request must exactly match the one used in the authorization request and the one registered with the server — including trailing slashes.
+
+### `TokenError`: Missing access token
+
+```
+Safire::Errors::TokenError: Missing access token in response; received fields: token_type, expires_in
+```
+
+The server returned a 200 response without an `access_token`. This usually means the server returned an OAuth error body with a 200 status (non-standard behaviour). Inspect the received field names in the error message to diagnose what the server actually returned.
+
+---
+
+## Refresh Token Errors
+
+### `TokenError`: Refresh token invalid or expired
+
+```
+Safire::Errors::TokenError: Token request failed — HTTP 400 — invalid_grant — Refresh token expired
+```
+
+Refresh tokens expire, get revoked, or may be single-use on some servers. When a refresh fails with `invalid_grant`, re-authenticate rather than retrying:
+
+```ruby
+def refresh_access_token
+  new_tokens = client.refresh_token(refresh_token: session[:refresh_token])
+  session[:access_token]  = new_tokens['access_token']
+  session[:refresh_token] = new_tokens['refresh_token'] if new_tokens['refresh_token']
+rescue Safire::Errors::TokenError => e
+  raise unless e.error_code == 'invalid_grant'
+
+  clear_session
+  redirect_to launch_path, alert: 'Session expired. Please sign in again.'
+end
+```
+
+Some servers issue a new refresh token on each refresh (rotating tokens). Always update both `access_token` and `refresh_token` from the response.
+
+---
+
+## PKCE Errors
+
+### Invalid `code_challenge` at the server
+
+**Symptom:** authorization fails at the server with a PKCE-related error.
+
+**Cause:** the `code_verifier` used in the token exchange does not match the `code_challenge` sent in the authorization request. This almost always means the verifier was regenerated rather than stored and retrieved.
+
+Store the verifier from `authorization_url` and use it unchanged in the token exchange:
+
+```ruby
+# On launch — store the verifier
+auth_data = client.authorization_url
+session[:code_verifier] = auth_data[:code_verifier]
+
+# On callback — use exactly what was stored
+tokens = client.request_access_token(
+  code:           params[:code],
+  code_verifier:  session[:code_verifier]
+)
+session.delete(:code_verifier) # discard after use
+```
+
+Never call `Safire::PKCE.generate_code_verifier` in the callback — a new verifier will not match the challenge already sent to the server.

data/docs/udap.md

@@ -0,0 +1,78 @@
+---
+layout: default
+title: UDAP
+nav_order: 5
+---
+
+# UDAP
+
+{: .no_toc }
+
+<div class="code-example" markdown="1">
+**Status:** Planned — see [ROADMAP.md](https://github.com/vanessuniq/safire/blob/main/ROADMAP.md) for timeline and progress.
+</div>
+
+## Table of contents
+{: .no_toc .text-delta }
+
+1. TOC
+{:toc}
+
+---
+
+## Overview
+
+UDAP (Unified Data Access Profiles) is a security framework for healthcare data exchange defined by the [UDAP Security Implementation Guide](https://hl7.org/fhir/us/udap-security/). It extends standard OAuth 2.0 with X.509 certificate-based identity, dynamic client registration, and trust community models — designed primarily for backend system-to-system integration and cross-organizational data access.
+
+UDAP is a separate protocol from SMART on FHIR. In Safire, it is selected via `protocol: :udap` rather than a `client_type:`. Watch the [GitHub repository](https://github.com/vanessuniq/safire) for release announcements.
+
+---
+
+## Planned Features
+
+### Discovery
+
+- **UDAP Discovery** (`/.well-known/udap`) — fetch server metadata and trust anchors
+
+### Client Flows
+
+- **Dynamic Client Registration (DCR)** — one-time registration using a signed software statement to obtain a `client_id`; required only when the client has not previously registered with the server and if the server supports DCR
+- **JWT Client Authentication** — authenticate on every request using a signed JWT assertion (Authentication Token, AnT) with an X.509 certificate chain in the `x5c` header; the registered `client_id` is reused as `iss` and `sub` in each assertion
+- **Tiered OAuth** — delegated authorization for multi-system access per the UDAP Security IG
+- **Pushed Authorization Requests (RFC 9126)** — PAR support for pre-registering authorization requests
+
+### Trust Framework
+
+- **Certificate Validation** — verify server and client certificates against trust anchors
+- **Trust Community Support** — integration with UDAP trust communities (e.g. Carequality, CommonWell)
+
+---
+
+## When to Use UDAP
+
+| Scenario | Why UDAP |
+|----------|----------|
+| **Backend / B2B Integration** | Server-to-server flows without user interaction; certificate-based identity replaces pre-shared secrets |
+| **Dynamic Client Registration** | Clients can register programmatically without manual server-side approval |
+| **Cross-Organization Access** | Trust communities allow clients to be recognized across participant organizations without per-server registration |
+| **High-Assurance Identity** | X.509 certificates provide stronger identity guarantees than client secrets |
+
+---
+
+## Comparison with SMART on FHIR
+
+| Feature | SMART on FHIR | UDAP |
+|---------|---------------|------|
+| Primary use case | User-facing apps, EHR launch | B2B, backend services, cross-org access |
+| Client registration | Pre-registered per server, optional DCR (recommended) | Dynamic (DCR) or pre-registered |
+| Authentication | Client secrets or `private_key_jwt` | Signed JWT assertions (AnT) with X.509 `x5c` chain |
+| Trust model | Per-server registration | Certificate-based trust communities |
+| Safire selection | `client_type: :public / :confidential_symmetric / :confidential_asymmetric` | `protocol: :udap` (planned) |
+
+### Resources
+
+- [UDAP Security IG](https://hl7.org/fhir/us/udap-security/) — HL7 Implementation Guide
+- [UDAP JWT Client Auth](https://www.udap.org/udap-jwt-client-auth.html) — JWT assertion specification
+- [UDAP Dynamic Client Registration](https://www.udap.org/udap-dynamic-client-registration.html) — DCR specification
+- [RFC 9126 — Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126)
+- [UDAP Tiered OAuth](https://hl7.org/fhir/us/udap-security/b2b.html) — Delegated authorization

data/lib/safire/client.rb

@@ -0,0 +1,195 @@
+module Safire
+  # Unified facade client for SMART on FHIR and (future) UDAP authorization flows.
+  #
+  # This class is the main entry point for integrating SMART on FHIR authorization via Safire.
+  # It supports discovery of server metadata and provides a unified interface for building
+  # authorization URLs, exchanging authorization codes, and refreshing tokens.
+  #
+  # Configuration is provided via {Safire::ClientConfig} or a Hash. At minimum:
+  #
+  # * :base_url [String] FHIR base URL used for SMART discovery
+  # * :client_id [String] OAuth2 client identifier
+  # * :redirect_uri [String] redirect URI registered with the authorization server
+  # * :scopes [Array<String>] default scopes requested during authorization
+  # * :client_secret [String, optional] required for confidential_symmetric clients
+  # * :private_key [OpenSSL::PKey, String, optional] private key for confidential_asymmetric clients
+  # * :kid [String, optional] key ID matching the registered public key for asymmetric clients
+  # * :jwt_algorithm [String, optional] JWT signing algorithm (RS384 or ES384). Auto-detected if not provided
+  # * :jwks_uri [String, optional] URL to client's JWKS for jku header in JWT assertions
+  #
+  # The +protocol:+ keyword selects the authorization protocol:
+  #
+  # * :smart (default) — SMART App Launch 2.2.0
+  # * :udap             — UDAP Security (future; not yet implemented)
+  #
+  # The +client_type:+ keyword controls how the SMART client authenticates at the token endpoint:
+  #
+  # * :public (default)             — no client authentication; client_id sent in request body
+  # * :confidential_symmetric       — HTTP Basic auth using client_secret
+  # * :confidential_asymmetric      — private_key_jwt assertion (JWT signed with private key)
+  #
+  # client_type is validated for :smart and ignored for :udap. UDAP clients authenticate via
+  # signed JWT assertions (Authentication Token / AnT) with an X.509 certificate chain in the
+  # x5c JOSE header; the authentication method is not user-configurable for UDAP. DCR is
+  # typically performed once to obtain a client_id, which is then reused as iss/sub in every
+  # subsequent AnT. The unregistered client flow (§8.1) allows client_credentials grant without
+  # prior DCR when identity can be fully determined from certificate attributes alone.
+  #
+  # @note Future kwargs (not yet implemented):
+  #
+  #   flow: [Symbol] the authorization flow for this client.
+  #     SMART values:
+  #       nil / absent  — :app_launch (default): SMART App Launch, authorization_code grant
+  #       :backend_services — SMART Backend Services, client_credentials grant;
+  #         private_key_jwt is implied; client_type validation is skipped
+  #     UDAP values (protocol: :udap):
+  #       :b2b          — client_credentials grant, server-to-server
+  #       :b2c          — authorization_code grant, user-facing
+  #       :tiered_oauth — authorization_code + IdP identity delegation
+  #
+  #   Contract methods will be extended per flow in a future PR.
+  #   When protocol: :udap is fully implemented, client_type: will default to nil
+  #   (not applicable) and the flow: kwarg will drive B2B vs B2C selection.
+  #
+  # @!attribute [r] config
+  #   @return [Safire::ClientConfig] the resolved client configuration
+  #
+  # @!attribute [r] protocol
+  #   @return [Symbol] the selected protocol (:smart or :udap)
+  #
+  # @!attribute [r] client_type
+  #   @return [Symbol] the client authentication method
+  #     (:public, :confidential_symmetric, or :confidential_asymmetric)
+  #
+  # @see Safire::ClientConfig
+  # @see Safire::Protocols::Smart
+  # @see Safire::Protocols::Behaviours
+  #
+  # @example Step 0 – Initialize configuration
+  #   config = Safire::ClientConfig.new(
+  #     base_url: 'https://fhir.example.com',
+  #     client_id: 'my_client_id',
+  #     redirect_uri: 'https://myapp.example.com/callback',
+  #     scopes: ['openid', 'profile', 'patient/*.read']
+  #   )
+  #
+  # @example Step 1 – /launch route (authorization request)
+  #   client = Safire::Client.new(config)  # defaults to protocol: :smart, client_type: :public
+  #   auth_data = client.authorization_url
+  #
+  #   session[:state] = auth_data[:state]
+  #   session[:code_verifier] = auth_data[:code_verifier]
+  #
+  #   redirect_to auth_data[:auth_url]
+  #
+  # @example Step 2 – /callback route (token exchange)
+  #   return head :unauthorized unless params[:state] == session[:state]
+  #
+  #   client = Safire::Client.new(config)
+  #   token_data = client.request_access_token(
+  #     code: params[:code],
+  #     code_verifier: session[:code_verifier]
+  #   )
+  #
+  # @example Step 3 – Refreshing an access token
+  #   client = Safire::Client.new(config)
+  #   new_tokens = client.refresh_token(refresh_token: stored_refresh_token)
+  class Client
+    extend Forwardable
+
+    VALID_PROTOCOLS = %i[smart udap].freeze
+
+    PROTOCOL_CLASSES = {
+      smart: Protocols::Smart
+      # udap: Protocols::Udap  # future
+    }.freeze
+
+    # Valid client_type values per protocol.
+    # nil means the protocol does not use client_type (e.g. UDAP authenticates via signed
+    # JWT assertions with an X.509 certificate chain; the authentication method is not
+    # user-configurable for UDAP).
+    PROTOCOL_CLIENT_TYPES = {
+      smart: %i[public confidential_symmetric confidential_asymmetric],
+      udap: nil # UDAP authenticates via signed JWT assertions (AnT) with X.509 certificate chain
+    }.freeze
+
+    def_delegators :protocol_client,
+                   :server_metadata, :authorization_url,
+                   :request_access_token, :refresh_token,
+                   :token_response_valid?, :register_client
+
+    attr_reader :config, :protocol, :client_type
+
+    def initialize(config, protocol: :smart, client_type: :public)
+      @protocol    = protocol.to_sym
+      @client_type = client_type.to_sym
+      @config      = build_config(config)
+
+      validate_protocol!
+      validate_client_type!
+    end
+
+    # Changes the client type for this client.
+    #
+    # Updates the underlying protocol client in place — server metadata already
+    # fetched is preserved and no re-discovery occurs.
+    #
+    # @param new_client_type [Symbol, String] the new client type
+    # @return [Symbol] the new client type
+    # @raise [Safire::Errors::ConfigurationError] if the client type is not valid for this protocol
+    #
+    # @example Discover then switch client type
+    #   client = Safire::Client.new(config)  # defaults to :public
+    #   metadata = client.server_metadata
+    #
+    #   if metadata.supports_symmetric_auth?
+    #     client.client_type = :confidential_symmetric
+    #   end
+    def client_type=(new_client_type)
+      if PROTOCOL_CLIENT_TYPES[@protocol].nil?
+        Safire.logger.warn(
+          "client_type is not configurable for protocol: :#{@protocol}; " \
+          'UDAP clients authenticate via signed JWT assertions — ignoring'
+        )
+        return
+      end
+
+      @client_type = new_client_type.to_sym
+      validate_client_type!
+      @protocol_client&.client_type = @client_type
+    end
+
+    private
+
+    def protocol_client
+      @protocol_client ||= PROTOCOL_CLASSES.fetch(@protocol).new(config, client_type:)
+    end
+
+    def build_config(config)
+      return config if config.is_a?(Safire::ClientConfig)
+
+      Safire::ClientConfig.new(config)
+    end
+
+    def validate_protocol!
+      return if VALID_PROTOCOLS.include?(@protocol)
+
+      raise Errors::ConfigurationError.new(
+        invalid_attribute: :protocol,
+        invalid_value: @protocol,
+        valid_values: VALID_PROTOCOLS
+      )
+    end
+
+    def validate_client_type!
+      valid_types = PROTOCOL_CLIENT_TYPES[@protocol]
+      return if valid_types.nil? || valid_types.include?(@client_type)
+
+      raise Errors::ConfigurationError.new(
+        invalid_attribute: :client_type,
+        invalid_value: @client_type,
+        valid_values: valid_types
+      )
+    end
+  end
+end

data/lib/safire/client_config.rb

@@ -0,0 +1,169 @@
+module Safire
+  # Client configuration entity providing necessary attributes to perform different
+  # auth flows such as SMART on FHIR puclic, confidential symmetric, confidential asymmetric
+  # clients, and backend services.
+  # The ClientConfig instance is passed to Safire::Client upon initialization.
+  #
+  # @!attribute [r] base_url
+  #   @return [String] the base URL of the FHIR service
+  # @!attribute [r] issuer
+  #   @return [String] the URL of the FHIR service from which the app wishes to retrieve FHIR data.
+  #     Optionally provided. Will default to `base_url` if not provided.
+  # @!attribute [r] client_id
+  #   @return [String] the client identifier issued to the app by the authorization server
+  # @!attribute [r] redirect_uri
+  #   @return [String] the redirect URI registered by the app with the authorization server
+  # @!attribute [r] scopes
+  #   @return [Array<String>] list of OAuth2 scopes describing the app's desired access.
+  #     Optionally provided.
+  # @!attribute [r] authorization_endpoint
+  #   @return [String] URL of the server’s OAuth2 Authorization Endpoint.
+  # =>  Optional, will be retrieved from the well-known smart-configuration if not provided
+  # @!attribute [r] token_endpoint
+  #   @return [String] URL of the server's OAuth2 Token Endpoint.
+  # =>  Optional, will be retrieved from the well-known smart-configuration if not provided
+  # @!attribute [r] private_key
+  #   @return [OpenSSL::PKey::RSA, OpenSSL::PKey::EC, String, nil] the private key for signing
+  #     JWT assertions in confidential asymmetric auth. Can be an OpenSSL key object or PEM string.
+  # @!attribute [r] kid
+  #   @return [String, nil] the key ID matching the public key registered with the authorization server.
+  #     Required for confidential asymmetric authentication.
+  # @!attribute [r] jwt_algorithm
+  #   @return [String, nil] the JWT signing algorithm (RS384 or ES384).
+  #     Optional, auto-detected from key type if not provided.
+  # @!attribute [r] jwks_uri
+  #   @return [String, nil] URL to the client's JWKS containing the public key.
+  #     Optional, included as jku header in JWT assertions when provided.
+  #
+  # @example Initializing a ClientConfig
+  #   config = Safire::ClientConfig.new(
+  #     base_url: 'https://fhir.example.com',
+  #     client_id: 'my_client_id',
+  #     redirect_uri: 'https://myapp.example.com/callback',
+  #     scopes: ['openid', 'profile', 'patient/*.read']
+  #   )
+  #  client = Safire::Client.new(config)
+  #
+  # @example Initializing a ClientConfig using the Builder
+  #   config = Safire::ClientConfig.builder
+  #     .base_url('https://fhir.example.com')
+  #     .client_id('my_client_id')
+  #     .redirect_uri('https://myapp.example.com/callback')
+  #     .scopes(['openid', 'profile', 'patient/*.read'])
+  #     .build
+  #  client = Safire::Client.new(config)
+  #
+  # @see Safire::ClientConfigBuilder
+  class ClientConfig < Entity
+    ATTRIBUTES = %i[
+      base_url issuer client_id client_secret redirect_uri
+      scopes authorization_endpoint token_endpoint
+      private_key kid jwt_algorithm jwks_uri
+    ].freeze
+
+    attr_reader(*ATTRIBUTES)
+
+    def initialize(config)
+      super(config, ATTRIBUTES)
+
+      @issuer ||= base_url
+      validate!
+    end
+
+    class << self
+      def builder
+        ClientConfigBuilder.new
+      end
+    end
+
+    SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
+    URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
+    OPTIONAL_URI_ATTRS = %i[authorization_endpoint token_endpoint jwks_uri].freeze
+    private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS
+
+    # @api private
+    def inspect
+      attrs = ATTRIBUTES.map do |attr|
+        value = send(attr)
+        next if value.nil?
+
+        masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
+        "#{attr}: #{masked}"
+      end.compact.join(', ')
+      "#<#{self.class} #{attrs}>"
+    end
+
+    protected
+
+    # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
+    def sensitive_attributes
+      SENSITIVE_ATTRIBUTES
+    end
+
+    private
+
+    # Validates all URI attributes for structure and HTTPS requirement.
+    #
+    # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
+    # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
+    # must therefore use the `https` scheme.
+    #
+    # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
+    # to support local development without a TLS termination proxy.
+    #
+    # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
+    def validate_uris!
+      invalid_uris, non_https_uris = collect_uri_violations
+      return if invalid_uris.empty? && non_https_uris.empty?
+
+      raise Errors::ConfigurationError.new(
+        invalid_uri_attributes: invalid_uris,
+        non_https_uri_attributes: non_https_uris
+      )
+    end
+
+    def collect_uri_violations
+      invalid_uris = []
+      non_https_uris = []
+
+      URI_ATTRS.each do |attr|
+        value = send(attr)
+        next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)
+
+        case classify_uri(value)
+        when :invalid   then invalid_uris << attr
+        when :non_https then non_https_uris << attr
+        end
+      end
+
+      [invalid_uris, non_https_uris]
+    end
+
+    def classify_uri(value)
+      uri = Addressable::URI.parse(value)
+      return :invalid unless uri.scheme && uri.host
+
+      :non_https if uri.scheme != 'https' && !localhost_host?(uri.host)
+    rescue Addressable::URI::InvalidURIError
+      :invalid
+    end
+
+    # Returns true when the host is a local loopback address.
+    # HTTP is permitted for localhost to support development environments.
+    def localhost_host?(host)
+      %w[localhost 127.0.0.1].include?(host)
+    end
+
+    def validate!
+      required_attrs = %i[base_url client_id redirect_uri]
+      nil_vars = required_attrs.select { |attr| send(attr).nil? }
+
+      if nil_vars.empty?
+        validate_uris!
+        return
+      end
+
+      raise Errors::ConfigurationError.new(missing_attributes: nil_vars)
+    end
+  end
+end