smart_app_launch_test_kit 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae741dbca6b676c7c53c6be41a14f84292b4d620dbfecbf67f7472f5450c67fc
-  data.tar.gz: 4136c596fa810d8109c18df863e39eda7283c170a59c7441dc07e1bcb4ebdc1f
+  metadata.gz: 7da125d1c3d1b6665088989e563aa9a046fc9e651ab3b1616e153cee1d695a6e
+  data.tar.gz: 329bf68903d2b72988bfbdd1c0525ec1a933c5450b285fc001c4d28d44552f2f
 SHA512:
-  metadata.gz: dfa9bd45de2c2b917347724b9a706dde71d1287dc48a3e49a86371b1106c42257084f78f989dcb737fba425594fbc11f4562b3aab7bf37710a40cdff3fccb116
-  data.tar.gz: ce2e0ed22fd192d88c5de32f334ada292ee5813b72c184eb9161f122d2cec82155ff6e83de19f8fe2c2d7a2ea0cd52b5c4adcdcefef0a668ff079abb7107776d
+  metadata.gz: '081f7d57660ef9446376fd1fd07753b00014258f9162b3ffc14f57165caa4ca255d3dc970483b30236a7fd9bbfec49c0bda9becb6c3a20f6805e679b6fc24814'
+  data.tar.gz: ee1f2ea1d9b75980516d2098528b229eabbacea1fc305c1242aacff60e1fbd7bf06a2d7b98788f313c000492264e9f5ef79b120ebeb0bd7e7e124e3147a48a47

data/lib/smart_app_launch/app_launch_test.rb

@@ -10,7 +10,7 @@ module SMARTAppLaunch
     input :url
     receives_request :launch
 
-    config options: { launch_uri: "#{Inferno::Application['inferno_host']}/custom/smart/launch" }
+    config options: { launch_uri: "#{Inferno::Application['base_url']}/custom/smart/launch" }
 
     run do
       wait(

data/lib/smart_app_launch/app_redirect_test.rb

@@ -8,13 +8,63 @@ module SMARTAppLaunch
     id :smart_app_redirect
 
     input :client_id, :requested_scopes, :url, :smart_authorization_url
+    input :use_pkce,
+          title: 'Proof Key for Code Exchange (PKCE)',
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              },
+              {
+                label: 'Disabled',
+                value: 'false'
+              }
+            ]
+          }
+    input :pkce_code_challenge_method,
+          optional: true,
+          title: 'PKCE Code Challenge Method',
+          type: 'radio',
+          default: 'S256',
+          options: {
+            list_options: [
+              {
+                label: 'S256',
+                value: 'S256'
+              },
+              {
+                label: 'plain',
+                value: 'plain'
+              }
+            ]
+          }
 
-    output :state
+    output :state, :pkce_code_challenge, :pkce_code_verifier
     receives_request :redirect
 
-    config options: { redirect_uri: "#{Inferno::Application['inferno_host']}/custom/smart/redirect" }
+    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect" }
+
+    def self.calculate_s256_challenge(verifier)
+      Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
+    end
+
+    def aud
+      url
+    end
+
+    def wait_message(auth_url)
+      %(
+        [Follow this link to authorize with the SMART server](#{auth_url}).
+        Waiting to receive a request at `#{config.options[:redirect_uri]}` with
+        a state of `#{state}`.
+      )
+    end
 
     run do
+      info(config.options[:redirect_uri])
       assert_valid_http_uri(
         smart_authorization_url,
         "OAuth2 Authorization Endpoint '#{smart_authorization_url}' is not a valid URI"
@@ -28,11 +78,25 @@ module SMARTAppLaunch
         'redirect_uri' => config.options[:redirect_uri],
         'scope' => requested_scopes,
         'state' => state,
-        'aud' => url
+        'aud' => aud
       }
 
       oauth2_params['launch'] = launch if self.class.inputs.include?(:launch)
 
+      if use_pkce == 'true'
+        code_verifier = SecureRandom.uuid
+        code_challenge =
+          if pkce_code_challenge_method == 'S256'
+            self.class.calculate_s256_challenge(code_verifier)
+          else
+            code_verifier
+          end
+
+        output pkce_code_verifier: code_verifier, pkce_code_challenge: code_challenge
+
+        oauth2_params.merge!('code_challenge' => code_challenge, 'code_challenge_method' => pkce_code_challenge_method)
+      end
+
       authorization_url = smart_authorization_url
 
       authorization_url +=
@@ -50,11 +114,7 @@ module SMARTAppLaunch
 
       wait(
         identifier: state,
-        message: %(
-          [Follow this link to authorize with the SMART
-          server](#{authorization_url}). Waiting to receive a request at
-          `#{config.options[:redirect_uri]}` with a state of `#{state}`.
-        )
+        message: wait_message(authorization_url)
       )
     end
   end

data/lib/smart_app_launch/discovery_group.rb

@@ -2,6 +2,7 @@ module SMARTAppLaunch
   class DiscoveryGroup < Inferno::TestGroup
     id :smart_discovery
     title 'SMART on FHIR Discovery'
+    short_description 'Retrieve server\'s SMART on FHIR configuration.'
     description %(
       # Background
 
@@ -43,8 +44,7 @@ module SMARTAppLaunch
       )
       input :url,
             title: 'FHIR Endpoint',
-            description: 'URL of the FHIR endpoint used by SMART applications',
-            default: 'https://inferno.healthit.gov/reference-server/r4'
+            description: 'URL of the FHIR endpoint used by SMART applications'
       output :well_known_configuration,
              :well_known_authorization_url,
              :well_known_introspection_url,

data/lib/smart_app_launch/ehr_launch_group.rb

@@ -10,6 +10,7 @@ module SMARTAppLaunch
   class EHRLaunchGroup < Inferno::TestGroup
     id :smart_ehr_launch
     title 'SMART EHR Launch'
+    short_description 'Demonstrate the ability to authorize an app using the EHR Launch.'
 
     description %(
       # Background
@@ -42,8 +43,7 @@ module SMARTAppLaunch
         client_id: {
           name: :ehr_client_id,
           title: 'EHR Launch Client ID',
-          description: 'Client ID provided during registration of Inferno as an EHR launch application',
-          default: 'SAMPLE_PUBLIC_CLIENT_ID'
+          description: 'Client ID provided during registration of Inferno as an EHR launch application'
         },
         client_secret: {
           name: :ehr_client_secret,
@@ -55,23 +55,11 @@ module SMARTAppLaunch
           title: 'EHR Launch Scope',
           description: 'OAuth 2.0 scope provided by system to enable all required functionality',
           type: 'textarea',
-          default: %(
-            launch openid fhirUser offline_access
-            patient/Medication.read patient/AllergyIntolerance.read
-            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
-            patient/Device.read patient/DiagnosticReport.read
-            patient/DocumentReference.read patient/Encounter.read
-            patient/Goal.read patient/Immunization.read patient/Location.read
-            patient/MedicationRequest.read patient/Observation.read
-            patient/Organization.read patient/Patient.read
-            patient/Practitioner.read patient/Procedure.read
-            patient/Provenance.read patient/PractitionerRole.read
-          ).gsub(/\s{2,}/, ' ').strip
+          default: 'launch openid fhirUser offline_access user/*.read'
         },
         url: {
           title: 'EHR Launch FHIR Endpoint',
-          description: 'URL of the FHIR endpoint used by EHR launched applications',
-          default: 'https://inferno.healthit.gov/reference-server/r4'
+          description: 'URL of the FHIR endpoint used by EHR launched applications'
         },
         code: {
           name: :ehr_code
@@ -81,6 +69,9 @@ module SMARTAppLaunch
         },
         launch: {
           name: :ehr_launch
+        },
+        smart_credentials: {
+          name: :ehr_smart_credentials
         }
       },
       outputs: {
@@ -95,7 +86,8 @@ module SMARTAppLaunch
         patient_id: { name: :ehr_patient_id },
         encounter_id: { name: :ehr_encounter_id },
         received_scopes: { name: :ehr_received_scopes },
-        intent: { name: :ehr_intent }
+        intent: { name: :ehr_intent },
+        smart_credentials: { name: :ehr_smart_credentials }
       },
       requests: {
         launch: { name: :ehr_launch },
@@ -106,10 +98,34 @@ module SMARTAppLaunch
 
     test from: :smart_app_launch
     test from: :smart_launch_received
+    test from: :tls_version_test,
+         id: :ehr_auth_tls,
+         title: 'OAuth 2.0 authorize endpoint secured by transport layer security',
+         description: %(
+           Apps MUST assure that sensitive information (authentication secrets,
+           authorization codes, tokens) is transmitted ONLY to authenticated
+           servers, over TLS-secured channels.
+         ),
+         config: {
+           inputs: { url: { name: :smart_authorization_url } },
+           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+         }
     test from: :smart_app_redirect do
       input :launch
     end
     test from: :smart_code_received
+    test from: :tls_version_test,
+         id: :ehr_token_tls,
+         title: 'OAuth 2.0 token endpoint secured by transport layer security',
+         description: %(
+           Apps MUST assure that sensitive information (authentication secrets,
+           authorization codes, tokens) is transmitted ONLY to authenticated
+           servers, over TLS-secured channels.
+         ),
+         config: {
+           inputs: { url: { name: :smart_token_url } },
+           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+         }
     test from: :smart_token_exchange
     test from: :smart_token_response_body
     test from: :smart_token_response_headers

data/lib/smart_app_launch/openid_connect_group.rb

@@ -11,6 +11,7 @@ module SMARTAppLaunch
   class OpenIDConnectGroup < Inferno::TestGroup
     id :smart_openid_connect
     title 'OpenID Connect'
+    short_description 'Demonstrate the ability to authenticate users with OpenID Connect.'
 
     description %(
       # Background
@@ -54,30 +55,5 @@ module SMARTAppLaunch
     test from: :smart_openid_token_payload
 
     test from: :smart_openid_fhir_user_claim
-
-    # test do
-    #   id :smart_openid_fhir_user_retrieval
-    #   title 'fhirUser can be retrieved'
-    #   description %(
-    #     Verify that the FHIR resource referred to in the `fhirUser` claim can be
-    #     retrieved.
-    #   )
-
-    #   input :id_token_fhir_user, :openid_issuer, :standalone_access_token
-    #   makes_request :id_token_fhir_user
-
-    #   run do
-    #     skip_if id_token_fhir_user.blank?
-
-    #     split_fhir_user = id_token_fhir_user.split('/')
-    #     resource_type = split_fhir_user[-2]
-    #     resource_id = split_fhir_user[-1]
-    #     fhir_read(resource_type, resource_id)
-
-    #     assert_response_status(200)
-    #     assert_valid_json(response[:body])
-    #     assert_resource_type(resource_type)
-    #   end
-    # end
   end
 end

data/lib/smart_app_launch/openid_fhir_user_claim_test.rb

@@ -1,30 +1,47 @@
 module SMARTAppLaunch
   class OpenIDFHIRUserClaimTest < Inferno::Test
     id :smart_openid_fhir_user_claim
-    title 'ID token contains a valid fhirUser claim'
+    title 'FHIR resource representing the current user can be retrieved'
     description %(
-        Verify that the `fhirUser` claim is present in the ID token. The
-        `fhirUser` claim must be the url for a Patient, Practitioner,
-        RelatedPerson, or Person resource.
-      )
+      Verify that the `fhirUser` claim is present in the ID token and that the
+      FHIR resource it refers to can be retrieved. The `fhirUser` claim must be
+      the url for a Patient, Practitioner, RelatedPerson, or Person resource
+    )
 
-    input :id_token_payload_json, :requested_scopes
+    input :id_token_payload_json, :requested_scopes, :url
+    input :smart_credentials, type: :oauth_credentials
     output :id_token_fhir_user
 
+    fhir_client do
+      url :url
+      oauth_credentials :smart_credentials
+    end
+
     run do
       skip_if id_token_payload_json.blank?
       skip_if !requested_scopes&.include?('fhirUser'), '`fhirUser` scope not requested'
 
+      assert_valid_json(id_token_payload_json)
       payload = JSON.parse(id_token_payload_json)
       fhir_user = payload['fhirUser']
 
       valid_fhir_user_resource_types = ['Patient', 'Practitioner', 'RelatedPerson', 'Person']
 
       assert fhir_user.present?, 'ID token does not contain `fhirUser` claim'
-      assert valid_fhir_user_resource_types.any? { |type| fhir_user.include? type },
+
+      fhir_user_segments = fhir_user.split('/')
+      fhir_user_resource_type = fhir_user_segments[-2]
+      fhir_user_id = fhir_user_segments.last
+
+      assert valid_fhir_user_resource_types.include?(fhir_user_resource_type),
              "ID token `fhirUser` claim does not refer to a valid resource type: #{fhir_user}"
 
       output id_token_fhir_user: fhir_user
+
+      fhir_read(fhir_user_resource_type, fhir_user_id)
+
+      assert_response_status(200)
+      assert_resource_type(fhir_user_resource_type)
     end
   end
 end

data/lib/smart_app_launch/standalone_launch_group.rb

@@ -8,6 +8,7 @@ module SMARTAppLaunch
   class StandaloneLaunchGroup < Inferno::TestGroup
     id :smart_standalone_launch
     title 'SMART Standalone Launch'
+    short_description 'Demonstrate the ability to authorize an app using the Standalone Launch.'
 
     description %(
       # Background
@@ -38,8 +39,7 @@ module SMARTAppLaunch
         client_id: {
           name: :standalone_client_id,
           title: 'Standalone Client ID',
-          description: 'Client ID provided during registration of Inferno as a standalone application',
-          default: 'SAMPLE_PUBLIC_CLIENT_ID'
+          description: 'Client ID provided during registration of Inferno as a standalone application'
         },
         client_secret: {
           name: :standalone_client_secret,
@@ -51,30 +51,22 @@ module SMARTAppLaunch
           title: 'Standalone Scope',
           description: 'OAuth 2.0 scope provided by system to enable all required functionality',
           type: 'textarea',
-          default: %(
-            launch/patient openid fhirUser offline_access
-            patient/Medication.read patient/AllergyIntolerance.read
-            patient/CarePlan.read patient/CareTeam.read patient/Condition.read
-            patient/Device.read patient/DiagnosticReport.read
-            patient/DocumentReference.read patient/Encounter.read
-            patient/Goal.read patient/Immunization.read patient/Location.read
-            patient/MedicationRequest.read patient/Observation.read
-            patient/Organization.read patient/Patient.read
-            patient/Practitioner.read patient/Procedure.read
-            patient/Provenance.read patient/PractitionerRole.read
-          ).gsub(/\s{2,}/, ' ').strip
+          default: 'launch/patient openid fhirUser offline_access patient/*.read'
         },
         url: {
           title: 'Standalone FHIR Endpoint',
-          description: 'URL of the FHIR endpoint used by standalone applications',
-          default: 'https://inferno.healthit.gov/reference-server/r4'
+          description: 'URL of the FHIR endpoint used by standalone applications'
         },
         code: {
           name: :standalone_code
         },
         state: {
           name: :standalone_state
+        },
+        smart_credentials: {
+          name: :standalone_smart_credentials
         }
+
       },
       outputs: {
         code: { name: :standalone_code },
@@ -87,7 +79,8 @@ module SMARTAppLaunch
         patient_id: { name: :standalone_patient_id },
         encounter_id: { name: :standalone_encounter_id },
         received_scopes: { name: :standalone_received_scopes },
-        intent: { name: :standalone_intent }
+        intent: { name: :standalone_intent },
+        smart_credentials: { name: :standalone_smart_credentials }
       },
       requests: {
         redirect: { name: :standalone_redirect },
@@ -95,8 +88,32 @@ module SMARTAppLaunch
       }
     )
 
+    test from: :tls_version_test,
+         id: :standalone_auth_tls,
+         title: 'OAuth 2.0 authorize endpoint secured by transport layer security',
+         description: %(
+           Apps MUST assure that sensitive information (authentication secrets,
+           authorization codes, tokens) is transmitted ONLY to authenticated
+           servers, over TLS-secured channels.
+         ),
+         config: {
+           inputs: { url: { name: :smart_authorization_url } },
+           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+         }
     test from: :smart_app_redirect
     test from: :smart_code_received
+    test from: :tls_version_test,
+         id: :standalone_token_tls,
+         title: 'OAuth 2.0 token endpoint secured by transport layer security',
+         description: %(
+           Apps MUST assure that sensitive information (authentication secrets,
+           authorization codes, tokens) is transmitted ONLY to authenticated
+           servers, over TLS-secured channels.
+         ),
+         config: {
+           inputs: { url: { name: :smart_token_url } },
+           options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+         }
     test from: :smart_token_exchange
     test from: :smart_token_response_body
     test from: :smart_token_response_headers

data/lib/smart_app_launch/token_exchange_test.rb

@@ -14,11 +14,29 @@ module SMARTAppLaunch
           :smart_token_url,
           :client_id
     input :client_secret, optional: true
+    input :use_pkce,
+          title: 'Proof Key for Code Exchange (PKCE)',
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              },
+              {
+                label: 'Disabled',
+                value: 'false'
+              }
+            ]
+          }
+    input :pkce_code_verifier, optional: true
     output :token_retrieval_time
+    output :smart_credentials
     uses_request :redirect
     makes_request :token
 
-    config options: { redirect_uri: "#{Inferno::Application['inferno_host']}/custom/smart/redirect" }
+    config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect" }
 
     run do
       skip_if request.query_parameters['error'].present?, 'Error during authorization request'
@@ -37,11 +55,27 @@ module SMARTAppLaunch
         oauth2_params[:client_id] = client_id
       end
 
+      if use_pkce == 'true'
+        oauth2_params[:code_verifier] = pkce_code_verifier
+      end
+
       post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
+      assert_response_status(200)
+      assert_valid_json(request.response_body)
+
       output token_retrieval_time: Time.now.iso8601
 
-      assert_response_status(200)
+      token_response_body = JSON.parse(request.response_body)
+      output smart_credentials: {
+               refresh_token: token_response_body['refresh_token'],
+               access_token: token_response_body['access_token'],
+               expires_in: token_response_body['expires_in'],
+               client_id: client_id,
+               client_secret: client_secret,
+               token_retrieval_time: token_retrieval_time,
+               token_url: smart_token_url
+             }.to_json
     end
   end
 end

data/lib/smart_app_launch/token_refresh_body_test.rb

@@ -5,21 +5,12 @@ module SMARTAppLaunch
     include TokenPayloadValidation
 
     id :smart_token_refresh_body
-    title 'Server successfully refreshes the access token when optional scope parameter omitted'
+    title 'Token refresh response contains all required fields'
     description %(
-      Server successfully exchanges refresh token at OAuth token endpoint
-      without providing scope in the body of the request.
-
       The EHR authorization server SHALL return a JSON structure that includes
       an access token or a message indicating that the authorization request
       has been denied. `access_token`, `expires_in`, `token_type`, and `scope` are
       required. `access_token` must be `Bearer`.
-
-      Although not required in the token refresh portion of the SMART App
-      Launch Guide, the token refresh response should include the HTTP
-      Cache-Control response header field with a value of no-store, as well as
-      the Pragma response header field with a value of no-cache to be
-      consistent with the requirements of the inital access token exchange.
     )
     input :received_scopes
     output :refresh_token, :access_token, :token_retrieval_time, :expires_in, :received_scopes

data/lib/smart_app_launch/token_refresh_group.rb

@@ -6,6 +6,7 @@ module SMARTAppLaunch
   class TokenRefreshGroup < Inferno::TestGroup
     id :smart_token_refresh
     title 'SMART Token Refresh'
+    short_description 'Demonstrate the ability to exchange a refresh token for an access token.'
     description %(
       # Background
 

data/lib/smart_app_launch/token_refresh_test.rb

@@ -10,11 +10,6 @@ module SMARTAppLaunch
       Server successfully exchanges refresh token at OAuth token endpoint
       without providing scope in the body of the request.
 
-      The EHR authorization server SHALL return a JSON structure that includes
-      an access token or a message indicating that the authorization request
-      has been denied. `access_token`, `expires_in`, `token_type`, and `scope` are
-      required. `access_token` must be `Bearer`.
-
       Although not required in the token refresh portion of the SMART App
       Launch Guide, the token refresh response should include the HTTP
       Cache-Control response header field with a value of no-store, as well as
@@ -23,6 +18,7 @@ module SMARTAppLaunch
     )
     input :well_known_token_url, :refresh_token, :client_id, :received_scopes
     input :client_secret, optional: true
+    output :smart_credentials, :token_retrieval_time
     makes_request :token_refresh
 
     run do
@@ -46,7 +42,20 @@ module SMARTAppLaunch
       post(well_known_token_url, body: oauth2_params, name: :token_refresh, headers: oauth2_headers)
 
       assert_response_status(200)
-      assert_valid_json(response[:body])
+      assert_valid_json(request.response_body)
+
+      output token_retrieval_time: Time.now.iso8601
+
+      token_response_body = JSON.parse(request.response_body)
+      output smart_credentials: {
+               refresh_token: token_response_body['refresh_token'],
+               access_token: token_response_body['access_token'],
+               expires_in: token_response_body['expires_in'],
+               client_id: client_id,
+               client_secret: client_secret,
+               token_retrieval_time: token_retrieval_time,
+               token_url: well_known_token_url
+             }.to_json
     end
   end
 end

data/lib/smart_app_launch/version.rb

@@ -0,0 +1,3 @@
+module SMARTAppLaunch
+  VERSION = '0.1.0'
+end

data/lib/smart_app_launch_test_kit.rb

@@ -1,13 +1,36 @@
+require 'tls_test_kit'
+
+require_relative 'smart_app_launch/version'
 require_relative 'smart_app_launch/discovery_group'
 require_relative 'smart_app_launch/standalone_launch_group'
 require_relative 'smart_app_launch/ehr_launch_group'
 require_relative 'smart_app_launch/openid_connect_group'
 require_relative 'smart_app_launch/token_refresh_group'
 
+# TODO: Remove once this functionality is released in core:
+# https://github.com/inferno-framework/inferno-core/pull/86
+module Inferno
+  module DSL
+    module Runnable
+      def required_inputs(prior_outputs = [])
+        required_inputs =
+          inputs
+            .reject { |input| input_definitions[input][:optional] }
+            .map { |input| config.input_name(input) }
+            .reject { |input| prior_outputs.include?(input) }
+        children_required_inputs = children.flat_map { |child| child.required_inputs(prior_outputs) }
+        prior_outputs.concat(outputs.map { |output| config.output_name(output) })
+        (required_inputs + children_required_inputs).flatten.uniq
+      end
+    end
+  end
+end
+
 module SMARTAppLaunch
   class SMARTSuite < Inferno::TestSuite
     id 'smart'
-    title 'SMART'
+    title 'SMART App Launch STU1'
+    version VERSION
 
     resume_test_route :get, '/launch' do
       request.query_parameters['iss']
@@ -18,12 +41,13 @@ module SMARTAppLaunch
     end
 
     config options: {
-      redirect_uri: "#{Inferno::Application['inferno_host']}/custom/smart/redirect",
-      launch_uri: "#{Inferno::Application['inferno_host']}/custom/smart/launch"
+      redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect",
+      launch_uri: "#{Inferno::Application['base_url']}/custom/smart/launch"
     }
 
     group do
       title 'Standalone Launch'
+      id :smart_full_standalone_launch
 
       run_as_group
 
@@ -36,7 +60,9 @@ module SMARTAppLaunch
               inputs: {
                 id_token: { name: :standalone_id_token },
                 client_id: { name: :standalone_client_id },
-                requested_scopes: { name: :standalone_requested_scopes }
+                requested_scopes: { name: :standalone_requested_scopes },
+                access_token: { name: :standalone_access_token },
+                smart_credentials: { name: :standalone_smart_credentials }
               }
             }
 
@@ -55,7 +81,8 @@ module SMARTAppLaunch
                 received_scopes: { name: :standalone_received_scopes },
                 access_token: { name: :standalone_access_token },
                 token_retrieval_time: { name: :standalone_token_retrieval_time },
-                expires_in: { name: :standalone_expires_in }
+                expires_in: { name: :standalone_expires_in },
+                smart_credentials: { name: :standalone_smart_credentials }
               }
             }
 
@@ -75,13 +102,15 @@ module SMARTAppLaunch
                 received_scopes: { name: :standalone_received_scopes },
                 access_token: { name: :standalone_access_token },
                 token_retrieval_time: { name: :standalone_token_retrieval_time },
-                expires_in: { name: :standalone_expires_in }
+                expires_in: { name: :standalone_expires_in },
+                smart_credentials: { name: :standalone_smart_credentials }
               }
             }
     end
 
     group do
       title 'EHR Launch'
+      id :smart_full_ehr_launch
 
       run_as_group
 
@@ -94,7 +123,9 @@ module SMARTAppLaunch
               inputs: {
                 id_token: { name: :ehr_id_token },
                 client_id: { name: :ehr_client_id },
-                requested_scopes: { name: :standalone_requested_scopes }
+                requested_scopes: { name: :ehr_requested_scopes },
+                access_token: { name: :ehr_access_token },
+                smart_credentials: { name: :ehr_smart_credentials }
               }
             }
 
@@ -113,7 +144,8 @@ module SMARTAppLaunch
                 received_scopes: { name: :ehr_received_scopes },
                 access_token: { name: :ehr_access_token },
                 token_retrieval_time: { name: :ehr_token_retrieval_time },
-                expires_in: { name: :ehr_expires_in }
+                expires_in: { name: :ehr_expires_in },
+                smart_credentials: { name: :ehr_smart_credentials }
               }
             }
 
@@ -133,7 +165,8 @@ module SMARTAppLaunch
                 received_scopes: { name: :ehr_received_scopes },
                 access_token: { name: :ehr_access_token },
                 token_retrieval_time: { name: :ehr_token_retrieval_time },
-                expires_in: { name: :ehr_expires_in }
+                expires_in: { name: :ehr_expires_in },
+                smart_credentials: { name: :ehr_smart_credentials }
               }
             }
     end

metadata

@@ -1,43 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-21 00:00:00.000000000 Z
+date: 2022-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">"
       - !ruby/object:Gem::Version
-        version: 0.0.6
+        version: 0.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">"
       - !ruby/object:Gem::Version
-        version: 0.0.6
+        version: 0.1.3
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: tls_test_kit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: database_cleaner-sequel
   requirement: !ruby/object:Gem::Requirement
@@ -139,13 +153,14 @@ files:
 - lib/smart_app_launch/token_refresh_test.rb
 - lib/smart_app_launch/token_response_body_test.rb
 - lib/smart_app_launch/token_response_headers_test.rb
+- lib/smart_app_launch/version.rb
 - lib/smart_app_launch_test_kit.rb
-homepage: https://github.com/inferno_community/smart-app-launch-test-kit
+homepage: https://github.com/inferno_framework/smart-app-launch-test-kit
 licenses:
 - Apache-2.0
 metadata:
-  homepage_uri: https://github.com/inferno_community/smart-app-launch-test-kit
-  source_code_uri: https://github.com/inferno_community/smart-app-launch-test-kit
+  homepage_uri: https://github.com/inferno_framework/smart-app-launch-test-kit
+  source_code_uri: https://github.com/inferno_framework/smart-app-launch-test-kit
 post_install_message:
 rdoc_options: []
 require_paths: