smart_app_launch_test_kit 0.2.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99071ac48c50bc9184c429d8ac6d6a82c257a62b543b0300ffce76bb5428cd3e
-  data.tar.gz: 96ab8b622c5bcdbb803f38bb3fac3b954e09ed509ca50eb498fcb33a6f8a50a5
+  metadata.gz: 60325a0cc4d2866edb260627b289e76676d0847bd2e28523556f39170d424dac
+  data.tar.gz: dd887ba5a645f71f16e9f2269886628ca5911d57c79e3d03699582d6ae810b7f
 SHA512:
-  metadata.gz: 5ecbf51ed63307f358311b3e14b63827a1653a0697f79b3d85333577b72109eda60721cdf1a26acda174a0099df2ac3f710bb4371429789dab51744a23375915
-  data.tar.gz: d79ef7288453f232d1b4365dc271cabcc84436e94c8c5c0a02b7554521b16f05c0291eda15093a118fc8aa909577043ce5bb0ef0919c97d6abde81dcb6195bd5
+  metadata.gz: 16ee6a9963940d5ea882e894b5e1db23646c86a51e1f6dbe58868878c047708a581c0f353ba24d264a4c49cdc8f549f522afc40ee7bbd5127d89b0b9ac7f2e36
+  data.tar.gz: 022f7b43c590f419638e23614a84dc0c5d106b87bbef38dd6d4b2e71650b58bf86db59bd6bb231c04280a0274e105b6486601fb41fa3749485ddfd534a15beb4

data/lib/smart_app_launch/app_redirect_test.rb

@@ -75,7 +75,7 @@ module SMARTAppLaunch
     def authorization_url_builder(url, params)
       uri = URI(url)
 
-      # because the URL might have paramters on it
+      # because the URL might have parameters on it
       original_parameters = Hash[URI.decode_www_form(uri.query || '')]
       new_params = original_parameters.merge(params)
 
@@ -126,6 +126,8 @@ module SMARTAppLaunch
         oauth2_params
       )
 
+      info("Inferno redirecting browser to #{authorization_url}.")
+
       wait(
         identifier: state,
         message: wait_message(authorization_url)

data/lib/smart_app_launch/app_redirect_test_stu2.rb

@@ -16,7 +16,7 @@ module SMARTAppLaunch
     )
 
     input :authorization_method,
-          title: 'Authorization Method',
+          title: 'Authorization Request Method',
           type: 'radio',
           default: 'get',
           options: {

data/lib/smart_app_launch/client_assertion_builder.rb

@@ -0,0 +1,63 @@
+require 'jwt'
+
+require_relative 'jwks'
+
+module SMARTAppLaunch
+  class ClientAssertionBuilder
+    def self.build(...)
+      new(...).client_assertion
+    end
+
+    attr_reader :aud,
+                :client_assertion_type,
+                :content_type,
+                :client_auth_encryption_method,
+                :exp,
+                :grant_type,
+                :iss,
+                :jti,
+                :sub
+
+    def initialize(
+      client_auth_encryption_method:,
+      iss:,
+      sub:,
+      aud:,
+      exp: 5.minutes.from_now.to_i,
+      jti: SecureRandom.hex(32)
+    )
+      @client_auth_encryption_method = client_auth_encryption_method
+      @iss = iss
+      @sub = sub
+      @aud = aud
+      @content_type = content_type
+      @grant_type = grant_type
+      @client_assertion_type = client_assertion_type
+      @exp = exp
+      @jti = jti
+    end
+
+    def private_key
+      @private_key ||=
+        JWKS.jwks
+          .find { |key| key[:key_ops]&.include?('sign') && key[:alg] == client_auth_encryption_method }
+    end
+
+    def jwt_payload
+      { iss:, sub:, aud:, exp:, jti: }.compact
+    end
+
+    def kid
+      private_key.kid
+    end
+
+    def signing_key
+      private_key.signing_key
+    end
+
+    def client_assertion
+      @client_assertion ||=
+        JWT.encode jwt_payload, signing_key, client_auth_encryption_method, { alg: client_auth_encryption_method, kid:, typ: 'JWT' }
+    end
+  end
+end

data/lib/smart_app_launch/ehr_launch_group.rb

@@ -48,7 +48,8 @@ module SMARTAppLaunch
         client_secret: {
           name: :ehr_client_secret,
           title: 'EHR Launch Client Secret',
-          description: 'Client Secret provided during registration of Inferno as an EHR launch application'
+          description: 'Client Secret provided during registration of Inferno as an EHR launch application. ' \
+                       'Only for clients using confidential symmetric authentication.'
         },
         requested_scopes: {
           name: :ehr_requested_scopes,

data/lib/smart_app_launch/ehr_launch_group_stu2.rb

@@ -1,5 +1,6 @@
 require_relative 'app_redirect_test_stu2'
 require_relative 'ehr_launch_group'
+require_relative 'token_exchange_stu2_test'
 
 module SMARTAppLaunch
   class EHRLaunchGroupSTU2 < EHRLaunchGroup
@@ -52,5 +53,12 @@ module SMARTAppLaunch
 
     redirect_index = children.find_index { |child| child.id.to_s.end_with? 'app_redirect' }
     children[redirect_index] = children.pop
+
+    test from: :smart_token_exchange_stu2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }
+    children[token_exchange_index] = children.pop
+
+    children[token_exchange_index].id(:smart_token_exchange)
   end
 end

data/lib/smart_app_launch/jwks.rb

@@ -0,0 +1,27 @@
+require 'jwt'
+
+module SMARTAppLaunch
+  class JWKS
+    class << self
+      def jwks_json
+        @jwks_json ||=
+          JSON.pretty_generate(
+            { keys: jwks.export[:keys].select { |key| key[:key_ops]&.include?('verify') } }
+          )
+      end
+
+      def default_jwks_path
+        @default_jwks_path ||= File.join(__dir__, 'smart_jwks.json')
+      end
+
+      def jwks_path
+        @jwks_path ||=
+          ENV.fetch('SMART_JWKS_PATH', default_jwks_path)
+      end
+
+      def jwks
+        @jwks ||= JWT::JWK::Set.new(JSON.parse(File.read(jwks_path)))
+      end
+    end
+  end
+end

data/lib/smart_app_launch/smart_jwks.json

@@ -0,0 +1,58 @@
+{
+	"keys": 
+	[{
+		"kty": "EC",
+		"crv": "P-384",
+		"x": "JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C",
+		"y": "bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw",
+		"use": "sig",
+		"key_ops": [
+			"verify"
+		],
+		"ext": true,
+		"kid": "4b49a739d1eb115b3225f4cf9beb6d1b",
+		"alg": "ES384"
+	},
+	{
+		"kty": "EC",
+		"crv": "P-384",
+		"d": "kDkn55p7gryKk2tj6z2ij7ExUnhi0ngxXosvqa73y7epwgthFqaJwApmiXXU2yhK",
+		"x": "JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C",
+		"y": "bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw",
+		"key_ops": [
+			"sign"
+		],
+		"ext": true,
+		"kid": "4b49a739d1eb115b3225f4cf9beb6d1b",
+		"alg": "ES384"
+	},
+	{
+		"kty": "RSA",
+		"alg": "RS384",
+		"n": "vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw",
+		"e": "AQAB",
+		"use": "sig",
+		"key_ops": [
+			"verify"
+		],
+		"ext": true,
+		"kid": "b41528b6f37a9500edb8a905a595bdd7"
+	},
+	{
+		"kty": "RSA",
+		"alg": "RS384",
+		"n": "vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw",
+		"e": "AQAB",
+		"d": "rriV9GYimi5by7TOW4xNh6_gYBHVRDBsft2OFF8qapdVHt2GNuRDDxc_B6ga6TY2Enh2MLKLTr1dD3W4FIdTCJiMerrorp07FJS7nJEMgWQDxrfgkX4_EqrhW42L5d4vypYnRXEEW6u4gzkx5uFOkdvJBIK7CsIdSaBFYhochnynNgvbKWasi4rl2hayEH8tdf3B7Z6OIH9alspBTaq3j_zJt_KkrpYEzIUb4UgALB5NTWn5YKr0Avk_asOg8YfjViQwO9ASGaWjQeJ2Rx8OEQwBMQHSDMCSWNiWmYOu9PcwSZFc1vLxqzyIM8QrQSJHCCMo_wGYgke_r0CLeONHEQ",
+		"p": "5hH_QApWGeobRi1n7XbMfJYohB8K3JDPa0MspfplHpJ-17JiGG2sNoBdBcpaPRf9OX48P8VqO0qrSSRAk-I-uO6OO9BHbIukXJILqnY2JmurYzbcYbt5FVbknlHRJojkF6-7sFBazpueUlOnXCw7X7Z_SkfNE4QX5Ejm2Zm5mek",
+		"q": "06bZz7c7K9s1-aEZsxYnLJ9eTpKlt1tIBDA_LwIh5W3w259pes2kUtimbnkyOf-V2ZIERsFCh5s-S9IOEMvAIa6M5j9GW1ILNT7AcHIUfcyFcH-FF8BU_KJdRP5PXnIXFdYcylvsdoIdchy1AaUIzyiKRCU3HBYI75hez0l_F2c",
+		"dp": "h_sVIXW6hCCRND48EedIX06k7conMkxIu_39ErDXOWWeoMAnKIcR5TijQnviL__QxD1vQMXezuKIMHfDz2RGbClbWdD1lhtG7wvG515tDPJQXxia0wzqOQmdoFF9S8hXAAT26vPjaAAkaEZXQaxG_4Au5elgNWu6b0wDXZN1Vpk",
+		"dq": "GqS0YpuUTU8JGmWXUJ4HTGy7eHSpe8134V8ZdRd1oOYYHe2RX64nc25mdR24nuh3uq3Q7_9AGsYGL5E_yAl-JD9O6WUpvDE1y_wcSYty3Os0GRdUb8r8Z9kgmKDS6Pa_xTXw5eBwgfKbNlQ6zPwzgbB-x1lP-K8lbNPni3ybDR0",
+		"qi": "cqQfoi0sM5Su8ZOhznmdWrDIQB28H6fBKiabgaIKkbWZV4e0nwFvLquHjPOvv4Ao8iEGU5dyhvg0n5BKYPi-4mp6M6OA1sy0NrTr7EsKSYGyu2pBq9rw4oAYTM2LXKg6K-awgUUlkc451IwxHBAe15PWCBM3kvLQeijNid0Vz5I",
+		"key_ops": [
+			"sign"
+		],
+		"ext": true,
+		"kid": "b41528b6f37a9500edb8a905a595bdd7"
+	}]
+}

data/lib/smart_app_launch/smart_stu1_suite.rb

@@ -1,5 +1,6 @@
 require 'tls_test_kit'
 
+require_relative 'jwks'
 require_relative 'version'
 require_relative 'discovery_stu1_group'
 require_relative 'standalone_launch_group'
@@ -21,15 +22,39 @@ module SMARTAppLaunch
       request.query_parameters['state']
     end
 
+    route(
+      :get,
+      '/.well-known/jwks.json',
+      ->(_env) { [200, { 'Content-Type' => 'application/json' }, [JWKS.jwks_json]] }
+    )
+
     config options: {
       redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect",
       launch_uri: "#{Inferno::Application['base_url']}/custom/smart/launch"
     }
 
+    description <<~DESCRIPTION
+      The SMART App Launch Test Suite verifies that systems correctly implement 
+      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/1.0.0/) 
+      for providing authorization and/or authentication services to client 
+      applications accessing HL7® FHIR® APIs. To get started, please first register 
+      the Inferno client as a SMART App with the following information:
+
+      * SMART Launch URI: `#{config.options[:launch_uri]}`
+      * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+    DESCRIPTION
+
     group do
       title 'Standalone Launch'
       id :smart_full_standalone_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery
@@ -92,6 +117,14 @@ module SMARTAppLaunch
       title 'EHR Launch'
       id :smart_full_ehr_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * SMART Launch URI: `#{config.options[:launch_uri]}`
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery

data/lib/smart_app_launch/smart_stu2_suite.rb

@@ -1,10 +1,12 @@
 require 'tls_test_kit'
 
+require_relative 'jwks'
 require_relative 'version'
 require_relative 'discovery_stu2_group'
 require_relative 'standalone_launch_group_stu2'
 require_relative 'ehr_launch_group_stu2'
 require_relative 'openid_connect_group'
+require_relative 'token_introspection_group'
 require_relative 'token_refresh_group'
 
 module SMARTAppLaunch
@@ -21,6 +23,12 @@ module SMARTAppLaunch
       request.query_parameters['state']
     end
 
+    route(
+      :get,
+      '/.well-known/jwks.json',
+      ->(_env) { [200, { 'Content-Type' => 'application/json' }, [JWKS.jwks_json]] }
+    )
+
     @post_auth_page = File.read(File.join(__dir__, 'post_auth.html'))
     post_auth_handler = proc { [200, {}, [@post_auth_page]] }
 
@@ -32,10 +40,52 @@ module SMARTAppLaunch
       post_authorization_uri: "#{Inferno::Application['base_url']}/custom/smart_stu2/post_auth"
     }
 
+    description <<~DESCRIPTION
+      The SMART App Launch Test Suite verifies that systems correctly implement 
+      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2/) 
+      for providing authorization and/or authentication services to client 
+      applications accessing HL7® FHIR® APIs. To get started, please first register 
+      the Inferno client as a SMART App with the following information:
+
+      * SMART Launch URI: `#{config.options[:launch_uri]}`
+      * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+
+      If using asymmetric client authentication, register Inferno with the
+      following JWK Set URL:
+
+      * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+    DESCRIPTION
+
+    input_instructions %(
+      When running tests at this level, the token introspection endpoint is not available as a manual input.
+      Instead, group 3 Token Introspection will assume the token introspection endpoint 
+      will be output from group 1 Standalone Launch tests, specifically the SMART On FHIR Discovery tests that query
+      the .well-known/smart-configuration endpoint. However, including the token introspection
+      endpoint as part of the well-known ouput is NOT required and is not formally checked in the SMART On FHIR Discovery
+      tests.  RFC-7662 on Token Introspection says that "The means by which the protected resource discovers the location of the introspection
+      endpoint are outside the scope of this specification" and the Token Introspection IG does not add any further
+      requirements to this.  
+
+      If the token introspection endpoint of the system under test is NOT available at .well-known/smart-configuration, 
+      please run the test groups individually and group 3 Token Introspection will include the introspection endpoint as a manual input.  
+    )
+
     group do
       title 'Standalone Launch'
       id :smart_full_standalone_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+
+        If using asymmetric client authentication, register Inferno with the
+        following JWK Set URL:
+
+        * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery_stu2
@@ -98,6 +148,19 @@ module SMARTAppLaunch
       title 'EHR Launch'
       id :smart_full_ehr_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * SMART Launch URI: `#{config.options[:launch_uri]}`
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+
+        If using asymmetric client authentication, register Inferno with the
+        following JWK Set URL:
+
+        * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery_stu2
@@ -156,5 +219,8 @@ module SMARTAppLaunch
               }
             }
     end
+
+    group from: :smart_token_introspection
+
   end
 end

data/lib/smart_app_launch/standalone_launch_group.rb

@@ -44,7 +44,8 @@ module SMARTAppLaunch
         client_secret: {
           name: :standalone_client_secret,
           title: 'Standalone Client Secret',
-          description: 'Client Secret provided during registration of Inferno as a standalone application'
+          description: 'Client Secret provided during registration of Inferno as a standalone application. ' \
+                       'Only for clients using confidential symmetric authentication.'
         },
         requested_scopes: {
           name: :standalone_requested_scopes,

data/lib/smart_app_launch/standalone_launch_group_stu2.rb

@@ -1,4 +1,5 @@
 require_relative 'app_redirect_test_stu2'
+require_relative 'token_exchange_stu2_test'
 require_relative 'standalone_launch_group'
 
 module SMARTAppLaunch
@@ -48,5 +49,12 @@ module SMARTAppLaunch
 
     redirect_index = children.find_index { |child| child.id.to_s.end_with? 'app_redirect' }
     children[redirect_index] = children.pop
+
+    test from: :smart_token_exchange_stu2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }
+    children[token_exchange_index] = children.pop
+
+    children[token_exchange_index].id('smart_token_exchange')
   end
 end

data/lib/smart_app_launch/token_exchange_stu2_test.rb

@@ -0,0 +1,92 @@
+require_relative 'client_assertion_builder'
+require_relative 'token_exchange_test'
+
+module SMARTAppLaunch
+  class TokenExchangeSTU2Test < TokenExchangeTest
+    title 'OAuth token exchange request succeeds when supplied correct information'
+    description %(
+      After obtaining an authorization code, the app trades the code for an
+      access token via HTTP POST to the EHR authorization server's token
+      endpoint URL, using content-type application/x-www-form-urlencoded, as
+      described in section [4.1.3 of
+      RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.3).
+    )
+    id :smart_token_exchange_stu2
+
+    input :client_auth_encryption_method,
+          title: 'Encryption Method (Confidential Asymmetric Client Auth Only)',
+          type: 'radio',
+          default: 'ES384',
+          options: {
+            list_options: [
+              {
+                label: 'ES384',
+                value: 'ES384'
+              },
+              {
+                label: 'RS384',
+                value: 'RS384'
+              }
+            ]
+          }
+
+    input :client_auth_type,
+          title: 'Client Authentication Method',
+          type: 'radio',
+          default: 'public',
+          options: {
+            list_options: [
+              {
+                label: 'Public',
+                value: 'public'
+              },
+              {
+                label: 'Confidential Symmetric',
+                value: 'confidential_symmetric'
+              },
+              {
+                label: 'Confidential Asymmetric',
+                value: 'confidential_asymmetric'
+              }
+            ]
+          }
+
+    config(
+      inputs: {
+        use_pkce: {
+          default: 'true',
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              }
+            ]
+          }
+        }
+      }
+    )
+
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if client_auth_type == 'confidential_symmetric'
+        assert client_secret.present?,
+               "A client secret must be provided when using confidential symmetric client authentication."
+
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      elsif client_auth_type == 'public'
+        oauth2_params[:client_id] = client_id
+      else
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: ClientAssertionBuilder.build(
+            iss: client_id,
+            sub: client_id,
+            aud: smart_token_url,
+            client_auth_encryption_method: client_auth_encryption_method
+          )
+        )
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_exchange_test.rb

@@ -38,22 +38,26 @@ module SMARTAppLaunch
 
     config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect" }
 
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if client_secret.present?
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      else
+        oauth2_params[:client_id] = client_id
+      end
+    end
+
     run do
       skip_if request.query_parameters['error'].present?, 'Error during authorization request'
 
       oauth2_params = {
-        grant_type: 'authorization_code',
         code: code,
-        redirect_uri: config.options[:redirect_uri]
+        redirect_uri: config.options[:redirect_uri],
+        grant_type: 'authorization_code'
       }
       oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
-      if client_secret.present?
-        client_credentials = "#{client_id}:#{client_secret}"
-        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
-      else
-        oauth2_params[:client_id] = client_id
-      end
+      add_credentials_to_request(oauth2_params, oauth2_headers)
 
       if use_pkce == 'true'
         oauth2_params[:code_verifier] = pkce_code_verifier
@@ -67,6 +71,8 @@ module SMARTAppLaunch
       output token_retrieval_time: Time.now.iso8601
 
       token_response_body = JSON.parse(request.response_body)
+
+
       output smart_credentials: {
                refresh_token: token_response_body['refresh_token'],
                access_token: token_response_body['access_token'],
@@ -76,6 +82,7 @@ module SMARTAppLaunch
                token_retrieval_time: token_retrieval_time,
                token_url: smart_token_url
              }.to_json
+      
     end
   end
 end

data/lib/smart_app_launch/token_introspection_access_token_group.rb

@@ -0,0 +1,26 @@
+require_relative 'standalone_launch_group_stu2'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionAccessTokenGroup < Inferno::TestGroup
+    title 'Request New Access Token to Introspect'
+    run_as_group
+
+    id :smart_token_introspection_access_token_group
+
+    description %(
+      These tests are repeated from the Standalone Launch tests in order to receive a new, active access token that
+      will be provided for token introspection. This test group may be skipped if the tester can obtain an access token
+      __and__ the contents of the access token response body by some other means.
+
+      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
+
+    )
+    
+    input_instructions %(
+      Register Inferno as a Standalone SMART App and provide the registration details below.
+    )
+    
+    group from: :smart_discovery_stu2
+    group from: :smart_standalone_launch_stu2
+  end
+end

data/lib/smart_app_launch/token_introspection_group.rb

@@ -0,0 +1,69 @@
+require_relative 'token_introspection_access_token_group'
+require_relative 'token_introspection_response_group'
+require_relative 'token_introspection_request_group'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionGroup < Inferno::TestGroup
+    title 'Token Introspection'
+    id :smart_token_introspection
+    description %(
+      # Background
+
+      OAuth 2.0 Token introspection, as described in [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662), allows
+      an authorized resource server to query an OAuth 2.0 authorization server for metadata on a token.  The
+      [SMART App Launch STU2 Implementation Guide Section on Token Introspection](https://hl7.org/fhir/smart-app-launch/STU2/token-introspection.html)
+      states that "SMART on FHIR EHRs SHOULD support token introspection, which allows a broader ecosystem of resource servers
+      to leverage authorization decisions managed by a single authorization server."
+
+      # Test Methodology
+
+      In these tests, Inferno acts as an authorized resource server that queries the authorization server about an access
+      token, rather than a client to a FHIR resource server as in the previous SMART App Launch tests.
+      Ideally, Inferno should be registered with the authorization server as an authorized resource server
+      capable of accessing the token introspection endpoint through client credentials, per the SMART IG recommendations.
+      However, the SMART IG only formally REQUIRES "some form of authorization" to access
+      the token introspection endpoint and does not specifiy any one specific approach.  As such, the token introspection tests are
+      broken up into three groups that each complete a discrete step in the token introspection process:
+
+      1. **Request Access Token Group** - optional but recommended, repeats a subset of Standalone Launch tests
+        in order to receive a new access token with an authorization code grant.  If skipped, testers will need to
+          obtain an access token out-of-band and manually provide values from the access token response as inputs to
+          the Validate Token Response group.
+      2. **Issue Token Introspection Request Group** - optional but recommended, completes the introspection requests.
+      If skipped, testers will need to complete an introspection request out-of-band and manually provide the introspection
+      responses as inputs to the Validate Token Response group.
+      3. **Validate Token Introspection Response Group** - required, validates the contents of the introspection responses.
+
+      Running all three test groups in order is the simplest and is highly recommended if the environment under test
+      can support it, as outputs from one group will feed the inputs of the next group. However, test groups can be run
+      independently if needed.
+
+      See the individual test groups for more details and guidance.
+    )
+    group from: :smart_token_introspection_access_token_group
+    group from: :smart_token_introspection_request_group
+    group from: :smart_token_introspection_response_group
+
+    input_order :url, :standalone_client_id, :standalone_client_secret,
+                :authorization_method, :use_pkce, :pkce_code_challenge_method,
+                :standalone_requested_scopes, :client_auth_encryption_method,
+                :client_auth_type, :custom_authorization_header,
+                :optional_introspection_request_params
+    input_instructions %(
+      Executing tests at this level will run all three Token Introspection groups back-to-back.  If test groups need
+      to be run independently, exit this window and select a specific test group instead.
+
+      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
+
+      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
+      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      server to complete the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must
+      URI-encode any appropriate values.
+    )
+
+  end
+end

data/lib/smart_app_launch/token_introspection_request_group.rb

@@ -0,0 +1,122 @@
+require_relative 'token_exchange_test'
+require_relative 'token_refresh_body_test'
+require_relative 'well_known_endpoint_test'
+require_relative 'standalone_launch_group'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionRequestGroup < Inferno::TestGroup
+    title 'Issue Token Introspection Request'
+    run_as_group
+
+    id :smart_token_introspection_request_group
+    description %(
+      This group of tests executes the token introspection requests and ensures the correct HTTP response is returned
+      but does not validate the contents of the token introspection response. 
+
+      If Inferno cannot reasonably be configured to be authorized to access the token introspection endpoint, these tests 
+      can be skipped.  Instead, an out-of-band token introspection request must be completed and the response body
+      manually provided as input for the Validate Introspection Response test group.
+      )
+
+    input_instructions %(
+      If the Request New Access Token group was executed, the access token input will auto-populate with that token. 
+      Otherwise an active access token needs to be obtained out-of-band and input.  
+        
+      Per [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2), "the definition of an active token is 
+      currently dependent upon the authorization server, but this is commonly a token that has been issued by this 
+      authorization server, is not expired, has not been revoked, and is valid for use at the protected resource making 
+      the introspection call."
+
+      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
+      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      server to complete the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must URI-encode any appropriate values.
+    )
+
+    input :well_known_introspection_url, 
+          title: 'Token Introspection Endpoint URL', 
+          description: 'The complete URL of the token introspection endpoint.'
+
+    input :custom_authorization_header,
+          title: 'HTTP Authorization Header for Introspection Request',
+          type: 'textarea',
+          optional: true,
+          description: %(
+            Include header name, auth scheme, and auth parameters.
+            Ex: 'Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW' 
+            )
+
+    input :optional_introspection_request_params,
+          title: 'Additional Introspection Request Parameters',
+          type: 'textarea',
+          optional: true,
+          description: %(
+            Any additional parameters to append to the request body, separated by &. Example: 'param1=abc&param2=def'  
+          )
+
+    test do
+      title 'Token introspection endpoint returns a response when provided an active token'
+      description %(
+      This test will execute a token introspection request for an active token and ensure a 200 status and valid JSON
+      body are returned in the response. 
+      )
+
+      input :standalone_access_token, 
+            title: 'Access Token',
+            description: 'The access token to be introspected. MUST be active.'
+
+
+      output :active_token_introspection_response_body
+
+      run do
+
+        # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
+        skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
+
+        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        body = "token=#{standalone_access_token}"
+
+        if custom_authorization_header.present?
+          parsed_header = custom_authorization_header.split(':', 2)
+          assert parsed_header.length == 2, "Incorrect custom HTTP header format input, expected: '<header name>: <header value>'"
+          headers[parsed_header[0]] = parsed_header[1].strip
+        end
+
+        if optional_introspection_request_params.present?
+          body += "&#{optional_introspection_request_params}"
+        end
+
+        post(well_known_introspection_url, body: body, headers: headers)
+
+        assert_response_status(200)
+        output active_token_introspection_response_body: request.response_body
+      end
+    
+    end
+
+    test do 
+      title 'Token introspection endpoint returns a response when provided an invalid token'
+      description %(
+        This test will execute a token introspection request for an invalid token and ensure a 200 status and valid JSON
+        body are returned in response. 
+      )
+
+      output :invalid_token_introspection_response_body
+      run do
+
+        # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
+        skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
+
+        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        body = "token=invalid_token_value"
+        post(well_known_introspection_url, body: body, headers: headers)
+        
+        assert_response_status(200)
+        output invalid_token_introspection_response_body: request.response_body
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_introspection_response_group.rb

@@ -0,0 +1,191 @@
+require_relative 'token_introspection_request_group'
+require_relative 'token_exchange_test'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionResponseGroup < Inferno::TestGroup
+    title 'Validate Token Introspection Response'
+    run_as_group
+
+    id :smart_token_introspection_response_group
+    description %(
+      This group of tests validates the contents of the token introspection response by comparing the fields and/or
+      values in the token introspection response to the fields and/or values of the original access token response
+      in which the access token was given to the client.
+      )
+
+      input_instructions %(
+        There are two categories of input for this test group: 
+
+        1. The access token response values, which will dictate what the tests will expect to find in the token
+        introspection response.  If the Request New Access Token group was run, these inputs will auto-populate.
+        
+        2. The token introspection response bodies. If the Issue Introspection Request test group was run, these will
+        auto-populate; otherwise, the tester will need to an run out-of-band INTROSPECTION requests for a. An ACTIVE
+        access token, AND b. An INACTIVE OR INVALID token
+
+        See [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2) for details on active vs inactive tokens.
+      )
+      
+    test do 
+      title 'Token introspection response for an active token contains required fields'
+
+      description %(
+        This test will check whether the metadata in the token introspection response is correct for an active token and
+        that the response data matches the data in the original access token and/or access token response from the
+        authorization server, including the following:
+
+        Required:
+        * `active` claim is set to true
+        * `scope`, `client_id`, and `exp` claim(s) match between introspection response and access token
+
+        It is not possible to know what the expected value for `exp` is in advance, so Inferno tests that the claim is
+        present and represents a time greater than or equal to 10 minutes in the past. 
+
+        Conditionally Required:
+        * IF launch context parameter(s) included in access token, introspection response includes claim(s) for 
+        launch context parameter(s) 
+          * Parameters checked for are `patient` and `encounter`
+        * IF identity token was included as part of access token response, `iss` and `sub` claims are present in the
+        introspection response and match those of the orignal ID token
+
+        Optional but Recommended:
+        * IF identity token was included as part of access token response, `fhirUser` claim SHOULD be present in 
+        introspection response and should match the claim in the ID token
+      )
+
+      input :standalone_client_id,
+            title: 'Access Token client_id',
+            description: 'ID of the client that requested the access token being introspected'
+
+
+      input :standalone_received_scopes,
+            title: 'Expected Introspection Response Value: scope',
+            description: 'A space-separated list of scopes from the original access token response body'
+      
+      input :standalone_id_token,
+            title: 'Access Token Response: id_token',
+            type: 'textarea',
+            optional: true,
+            description: 'The ID token from the original access token response body, IF it was present'
+
+      input :standalone_patient_id,
+            title: 'Expected Introspection Response for Patient Launch Context Parameter',
+            optional: true,
+            description: 'The value for patient launch context from the original access token response body, IF it was present'
+
+      input :standalone_encounter_id,
+            title: 'Expected Introspection Response for Encounter Launch Context Parameter',
+            optional: true,
+            description: 'The value for encounter launch context from the original access token response body, IF it was present'
+
+      input :active_token_introspection_response_body,
+            title: 'Active Token Introspection Response Body',
+            type: 'textarea',
+            description: 'The JSON body of the token introspection response when provided an ACTIVE token'
+
+      def get_json_claim_value(json_response, claim_key)
+        claim_value = json_response[claim_key]
+        assert claim_value != nil, "Failure: introspection response has no claim for '#{claim_key}'"
+        return claim_value
+      end
+      
+      def assert_introspection_response_match(json_response, claim_key, expected_value)
+        expected_value = expected_value.strip
+        claim_value = get_json_claim_value(json_response, claim_key)
+        claim_value = claim_value.strip
+        assert claim_value.eql?(expected_value), 
+            "Failure: expected introspection response value for '#{claim_key}' to match expected value '#{expected_value}'"
+      end
+
+      run do
+        skip_if active_token_introspection_response_body.nil?, 'No introspection response available to validate.'
+        assert_valid_json(active_token_introspection_response_body)
+        active_introspection_response_body_parsed = JSON.parse(active_token_introspection_response_body)
+
+        # Required Fields
+        assert active_introspection_response_body_parsed['active'] == true, "Failure: expected introspection response for 'active' to be Boolean value true for valid token"
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'client_id', standalone_client_id)
+
+        response_scope_value = get_json_claim_value(active_introspection_response_body_parsed, 'scope')
+
+        # splitting contents and comparing values allows a scope lists with the same contents but different orders to still pass
+        response_scopes_split = response_scope_value.split()
+        expected_scopes_split = standalone_received_scopes.split()
+
+        assert response_scopes_split.length() == expected_scopes_split.length(), 
+          "Failure: number of scopes in introspection response, #{response_scopes_split.length()}, does not match number of scopes in access token response, #{expected_scopes_split.length()}"
+
+        expected_scopes_split.each do |scope|
+          assert response_scopes_split.include?(scope), "Failure: expected scope '#{scope}' not present in introspection response scopes"
+        end
+
+        # Cannot verify exact value for exp, so instead ensure its value represents a time >= 10 minutes in the past 
+        exp = active_introspection_response_body_parsed['exp']
+        assert exp != nil, "Failure: introspection response has no claim for 'exp'"
+        current_time = Time.now.to_i 
+        assert exp.to_i >= current_time - 600, "Failure: expired token, exp claim of #{exp} for active token is more than 10 minutes in the past"
+        
+        # Conditional fields
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'patient', standalone_patient_id) if standalone_patient_id.present?
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'encounter', standalone_encounter_id) if standalone_encounter_id.present?
+
+        # ID Token Fields
+        if standalone_id_token.present?
+          id_payload, id_header =
+          JWT.decode(
+            standalone_id_token,
+            nil,
+            false
+          )
+         
+          # Required fields if ID token present
+          id_token_iss = id_payload['iss']
+          id_token_sub = id_payload['sub']
+
+          assert id_token_iss != nil, "Failure: ID token from access token response does not have 'iss' claim"
+          assert id_token_sub != nil, "Failure: ID token from access token response does not have 'sub' claim"
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'iss', id_token_iss)
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'sub', id_token_sub)
+
+          # fhirUser not required but recommended
+          fhirUser_id_claim = id_payload['fhirUser']
+          fhirUser_intr_claim = active_introspection_response_body_parsed['fhirUser']
+
+          info do 
+            assert fhirUser_intr_claim != nil, "Introspection response SHOULD include claim for fhirUser because ID token present in access token response" if fhirUser_id_claim != nil
+            assert fhirUser_intr_claim.eql?(fhirUser_id_claim), "Introspection response claim for fhirUser SHOULD match value in ID token" if fhirUser_id_claim != nil
+          end
+        end
+      end
+    end
+
+    test do
+      title 'Token introspection response for an invalid token contains required fields'
+
+      description %(
+        From [RFC7662 OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2):
+        "If the introspection call is properly authorized but the token is not
+        active, does not exist on this server, or the protected resource is
+        not allowed to introspect this particular token, then the
+        authorization server MUST return an introspection response with the
+        "active" field set to "false".  Note that to avoid disclosing too
+        much of the authorization server's state to a third party, the
+        authorization server SHOULD NOT include any additional information
+        about an inactive token, including why the token is inactive."
+      )
+
+      input :invalid_token_introspection_response_body,
+            title: 'Invalid Token Introspection Response Body',
+            type: 'textarea',
+            description: 'The JSON body of the token introspection response when provided an INVALID token'
+
+      run do
+        skip_if invalid_token_introspection_response_body.nil?, 'No invalid introspection response available to validate.'
+        assert_valid_json(invalid_token_introspection_response_body)
+        invalid_token_introspection_response_body_parsed = JSON.parse(invalid_token_introspection_response_body)
+        assert invalid_token_introspection_response_body_parsed['active'] == false, "Failure: expected introspection response for 'active' to be Boolean value false for invalid token"
+        assert invalid_token_introspection_response_body_parsed.size == 1, "Failure: expected only 'active' field to be present in introspection response for invalid token"
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_payload_validation.rb

@@ -3,6 +3,69 @@ module SMARTAppLaunch
     STRING_FIELDS = ['access_token', 'token_type', 'scope', 'refresh_token'].freeze
     NUMERIC_FIELDS = ['expires_in'].freeze
 
+    # All resource types from DSTU3, STU3, R4, R4B, and R5
+    FHIR_RESOURCE_TYPES = [
+      "Account", "ActivityDefinition", "ActorDefinition",
+      "AdministrableProductDefinition", "AdverseEvent", "AllergyIntolerance",
+      "Appointment", "AppointmentResponse", "ArtifactAssessment", "AuditEvent",
+      "Basic", "Binary", "BiologicallyDerivedProduct",
+      "BiologicallyDerivedProductDispense", "BodySite", "BodyStructure",
+      "Bundle", "CapabilityStatement", "CarePlan", "CareTeam", "CatalogEntry",
+      "ChargeItem", "ChargeItemDefinition", "Citation", "Claim",
+      "ClaimResponse", "ClinicalImpression", "ClinicalUseDefinition",
+      "CodeSystem", "Communication", "CommunicationRequest",
+      "CompartmentDefinition", "Composition", "ConceptMap", "Condition",
+      "ConditionDefinition", "Conformance", "Consent", "Contract", "Coverage",
+      "CoverageEligibilityRequest", "CoverageEligibilityResponse",
+      "DataElement", "DetectedIssue", "Device", "DeviceAssociation",
+      "DeviceComponent", "DeviceDefinition", "DeviceDispense", "DeviceMetric",
+      "DeviceRequest", "DeviceUsage", "DeviceUseRequest", "DeviceUseStatement",
+      "DiagnosticOrder", "DiagnosticReport", "DocumentManifest",
+      "DocumentReference", "EffectEvidenceSynthesis", "EligibilityRequest",
+      "EligibilityResponse", "Encounter", "EncounterHistory", "Endpoint",
+      "EnrollmentRequest", "EnrollmentResponse", "EpisodeOfCare",
+      "EventDefinition", "Evidence", "EvidenceReport", "EvidenceVariable",
+      "ExampleScenario", "ExpansionProfile", "ExplanationOfBenefit",
+      "FamilyMemberHistory", "Flag", "FormularyItem", "GenomicStudy", "Goal",
+      "GraphDefinition", "Group", "GuidanceResponse", "HealthcareService",
+      "ImagingManifest", "ImagingObjectSelection", "ImagingSelection",
+      "ImagingStudy", "Immunization", "ImmunizationEvaluation",
+      "ImmunizationRecommendation", "ImplementationGuide", "Ingredient",
+      "InsurancePlan", "InventoryItem", "InventoryReport", "Invoice", "Library",
+      "Linkage", "List", "Location", "ManufacturedItemDefinition", "Measure",
+      "MeasureReport", "Media", "Medication", "MedicationAdministration",
+      "MedicationDispense", "MedicationKnowledge", "MedicationOrder",
+      "MedicationRequest", "MedicationStatement", "MedicinalProduct",
+      "MedicinalProductAuthorization", "MedicinalProductContraindication",
+      "MedicinalProductDefinition", "MedicinalProductIndication",
+      "MedicinalProductIngredient", "MedicinalProductInteraction",
+      "MedicinalProductManufactured", "MedicinalProductPackaged",
+      "MedicinalProductPharmaceutical", "MedicinalProductUndesirableEffect",
+      "MessageDefinition", "MessageHeader", "MolecularSequence", "NamingSystem",
+      "NutritionIntake", "NutritionOrder", "NutritionProduct", "Observation",
+      "ObservationDefinition", "OperationDefinition", "OperationOutcome",
+      "Order", "OrderResponse", "Organization", "OrganizationAffiliation",
+      "PackagedProductDefinition", "Patient", "PaymentNotice",
+      "PaymentReconciliation", "Permission", "Person", "PlanDefinition",
+      "Practitioner", "PractitionerRole", "Procedure", "ProcedureRequest",
+      "ProcessRequest", "ProcessResponse", "Provenance", "Questionnaire",
+      "QuestionnaireResponse", "ReferralRequest", "RegulatedAuthorization",
+      "RelatedPerson", "RequestGroup", "RequestOrchestration", "Requirements",
+      "ResearchDefinition", "ResearchElementDefinition", "ResearchStudy",
+      "ResearchSubject", "RiskAssessment", "RiskEvidenceSynthesis", "Schedule",
+      "SearchParameter", "Sequence", "ServiceDefinition", "ServiceRequest",
+      "Slot", "Specimen", "SpecimenDefinition", "StructureDefinition",
+      "StructureMap", "Subscription", "SubscriptionStatus", "SubscriptionTopic",
+      "Substance", "SubstanceDefinition", "SubstanceNucleicAcid",
+      "SubstancePolymer", "SubstanceProtein", "SubstanceReferenceInformation",
+      "SubstanceSourceMaterial", "SubstanceSpecification", "SupplyDelivery",
+      "SupplyRequest", "Task", "TerminologyCapabilities", "TestPlan",
+      "TestReport", "TestScript", "Transport", "ValueSet", "VerificationResult",
+      "VisionPrescription"
+    ].to_set.freeze
+
+    FHIR_ID_REGEX = /[A-Za-z0-9\-\.]{1,64}(\/_history\/[A-Za-z0-9\-\.]{1,64})?(#[A-Za-z0-9\-\.]{1,64})?/.freeze
+
     def validate_required_fields_present(body, required_fields)
       missing_fields = required_fields.select { |field| body[field].blank? }
       missing_fields_string = missing_fields.map { |field| "`#{field}`" }.join(', ')
@@ -49,5 +112,25 @@ module SMARTAppLaunch
                  "Expected `#{field}` to be a Numeric, but found #{body[field].class.name}"
         end
     end
+
+    def validate_fhir_context(fhir_context)
+      return if fhir_context.nil?
+
+      assert fhir_context.is_a?(Array), "`fhirContext` field is a #{fhir_context.class.name}, but should be an Array"
+
+      fhir_context.each do |reference|
+        assert reference.is_a?(String), "`#{reference.inspect}` is not a string"
+      end
+
+      fhir_context.each do |reference|
+        assert !reference.start_with?('http'), "`#{reference}` is not a relative reference"
+
+        resource_type, id = reference.split('/')
+        assert FHIR_RESOURCE_TYPES.include?(resource_type),
+               "`#{resource_type}` is not a valid FHIR resource type"
+
+        assert id.match?(FHIR_ID_REGEX), "`#{id}` is not a valid FHIR id"
+      end
+    end
   end
 end

data/lib/smart_app_launch/token_response_body_test.rb

@@ -11,6 +11,8 @@ module SMARTAppLaunch
       has been denied. `access_token`, `token_type`, and `scope` are required.
       `token_type` must be Bearer. `expires_in` is required for token
       refreshes.
+
+      The format of the optional `fhirContext` field is validated if present.
     )
     id :smart_token_response_body
 
@@ -48,6 +50,8 @@ module SMARTAppLaunch
       assert access_token.present?, 'Token response did not contain an access token'
       assert token_response_body['token_type']&.casecmp('Bearer')&.zero?,
              '`token_type` field must have a value of `Bearer`'
+
+      validate_fhir_context(token_response_body['fhirContext'])
     end
   end
 end

data/lib/smart_app_launch/version.rb

@@ -1,3 +1,3 @@
 module SMARTAppLaunch
-  VERSION = '0.2.2'.freeze
+  VERSION = '0.4.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.4.0
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-03 00:00:00.000000000 Z
+date: 2023-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.6'
 - !ruby/object:Gem::Dependency
   name: tls_test_kit
   requirement: !ruby/object:Gem::Requirement
@@ -134,11 +134,13 @@ files:
 - lib/smart_app_launch/app_launch_test.rb
 - lib/smart_app_launch/app_redirect_test.rb
 - lib/smart_app_launch/app_redirect_test_stu2.rb
+- lib/smart_app_launch/client_assertion_builder.rb
 - lib/smart_app_launch/code_received_test.rb
 - lib/smart_app_launch/discovery_stu1_group.rb
 - lib/smart_app_launch/discovery_stu2_group.rb
 - lib/smart_app_launch/ehr_launch_group.rb
 - lib/smart_app_launch/ehr_launch_group_stu2.rb
+- lib/smart_app_launch/jwks.rb
 - lib/smart_app_launch/launch_received_test.rb
 - lib/smart_app_launch/openid_connect_group.rb
 - lib/smart_app_launch/openid_decode_id_token_test.rb
@@ -149,11 +151,17 @@ files:
 - lib/smart_app_launch/openid_token_header_test.rb
 - lib/smart_app_launch/openid_token_payload_test.rb
 - lib/smart_app_launch/post_auth.html
+- lib/smart_app_launch/smart_jwks.json
 - lib/smart_app_launch/smart_stu1_suite.rb
 - lib/smart_app_launch/smart_stu2_suite.rb
 - lib/smart_app_launch/standalone_launch_group.rb
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
+- lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
+- lib/smart_app_launch/token_introspection_access_token_group.rb
+- lib/smart_app_launch/token_introspection_group.rb
+- lib/smart_app_launch/token_introspection_request_group.rb
+- lib/smart_app_launch/token_introspection_response_group.rb
 - lib/smart_app_launch/token_payload_validation.rb
 - lib/smart_app_launch/token_refresh_body_test.rb
 - lib/smart_app_launch/token_refresh_group.rb