smart_app_launch_test_kit 0.3.0 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97f3e4dca10ecb9dfe4aa30802d90f4272dd32ffd10715fa7b3a0855a04b5c8d
-  data.tar.gz: 016a700551ef524e7bdc7f8871beb03f7297dc3cba39e5b4b53349b22f22ed53
+  metadata.gz: f66c9b0314200d03d78422dc6412fe30cd0a091cd34d2a4701b9daa9a85d45f6
+  data.tar.gz: 7a34428293bfe281ebeebf83e8ee37597ebdfef2bf158cb8a3893598eca09876
 SHA512:
-  metadata.gz: 519d2bb8c5bde6a7c5c28f04ec17bfdcff37c7270b6216707a05db4b04c94269d244c6a1888dd97a0c25c5a50764d4969a08c2774dcb636db7fd274301184427
-  data.tar.gz: eda1f5484f72de3a82c34eb1d0424a2b10a327baeb93d6e6df8f94be7a7e3ef378e5e6510378f62e7d9387e56424b42b52f4524fc557302d3a5ddab0654c782e
+  metadata.gz: d5f432c1b4b43a2c84be8613acb0b31dec557b80b1b76996773c76486db5197265a3dc1f0b9a9015eaa35c17c65d5b6b7eb506d940676e0cdae3b798b1cf8799
+  data.tar.gz: b63b86f90dbfc0ea88b7cc65e2075333b07a2cee7d42f88f21d209f4a51274545532706ed0278efad3cd4a0316be4ae32e948632f4ba66247d5451c68eff9559

data/lib/smart_app_launch/app_redirect_test.rb

@@ -75,7 +75,7 @@ module SMARTAppLaunch
     def authorization_url_builder(url, params)
       uri = URI(url)
 
-      # because the URL might have paramters on it
+      # because the URL might have parameters on it
       original_parameters = Hash[URI.decode_www_form(uri.query || '')]
       new_params = original_parameters.merge(params)
 

data/lib/smart_app_launch/app_redirect_test_stu2.rb

@@ -16,7 +16,7 @@ module SMARTAppLaunch
     )
 
     input :authorization_method,
-          title: 'Authorization Method',
+          title: 'Authorization Request Method',
           type: 'radio',
           default: 'get',
           options: {

data/lib/smart_app_launch/backend_services_authorization_group.rb

@@ -0,0 +1,88 @@
+require_relative 'backend_services_authorization_request_builder'
+require_relative 'backend_services_invalid_grant_type_test'
+require_relative 'backend_services_invalid_client_assertion_test'
+require_relative 'backend_services_invalid_jwt_test'
+require_relative 'backend_services_authorization_request_success_test'
+require_relative 'backend_services_authorization_response_body_test'
+require_relative 'token_exchange_stu2_test'
+
+module SMARTAppLaunch
+  class BackendServicesAuthorizationGroup < Inferno::TestGroup
+    title 'SMART Backend Services Authorization'
+    short_description 'Demonstrate SMART Backend Services Authorization'
+
+    id :backend_services_authorization
+
+    input :smart_token_url,
+          title: 'Backend Services Token Endpoint',
+          description: <<~DESCRIPTION
+            The OAuth 2.0 Token Endpoint used by the Backend Services specification to provide bearer tokens.
+          DESCRIPTION
+
+    input :backend_services_client_id,
+          title: 'Backend Services Client ID',
+          description: 'Client ID provided at registration to the Inferno application.'
+    input :backend_services_requested_scope,
+          title: 'Backend Services Requested Scopes',
+          description: 'Backend Services Scopes provided at registration to the Inferno application; will be `system/` scopes',
+          default: 'system/*.read'
+
+    input :client_auth_encryption_method,
+      title: 'Encryption Method for Asymmetric Confidential Client Authorization',
+      description: <<~DESCRIPTION,
+        The server is required to suport either ES384 or RS384 encryption methods for JWT signature verification.
+        Select which method to use.
+      DESCRIPTION
+      type: 'radio',
+      default: 'ES384',
+      options: {
+        list_options: [
+          {
+            label: 'ES384',
+            value: 'ES384'
+          },
+          {
+            label: 'RS384',
+            value: 'RS384'
+          }
+        ]
+      }
+    input :backend_services_jwks_kid,
+          title: 'Backend Services JWKS kid',
+          description: <<~DESCRIPTION,
+            The key ID of the JWKS private key to use for signing the client assertion when fetching an auth token.
+            Defaults to the first JWK in the list if no kid is supplied.
+          DESCRIPTION
+          optional: true
+
+    output :bearer_token
+
+    test from: :tls_version_test do
+      title 'Authorization service token endpoint secured by transport layer security'
+      description <<~DESCRIPTION
+        The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
+        states "the client SHALL use the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246) 
+        or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to 
+        establish an encrypted, integrity-protected link for securing all exchanges between the client and the 
+        FHIR authorization server’s token endpoint. All exchanges described herein between the client and the 
+        FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS."
+      DESCRIPTION
+      id :smart_backend_services_token_tls_version
+
+      config(
+        inputs: { url: { name: :smart_token_url } },
+        options: {  minimum_allowed_version: OpenSSL::SSL::TLS1_2_VERSION }
+      )
+    end
+
+    test from: :smart_backend_services_invalid_grant_type
+
+    test from: :smart_backend_services_invalid_client_assertion
+
+    test from: :smart_backend_services_invalid_jwt
+
+    test from: :smart_backend_services_auth_request_success
+
+    test from: :smart_backend_services_auth_response_body
+  end
+end

data/lib/smart_app_launch/backend_services_authorization_request_builder.rb

@@ -0,0 +1,74 @@
+require 'json/jwt'
+require_relative 'client_assertion_builder'
+
+module SMARTAppLaunch
+  class BackendServicesAuthorizationRequestBuilder
+    def self.build(...)
+      new(...).authorization_request
+    end
+
+    attr_reader :encryption_method, :scope, :iss, :sub, :aud, :content_type, :grant_type, :client_assertion_type, :exp,
+                :jti, :kid
+
+    def initialize(
+      encryption_method:,
+      scope:,
+      iss:,
+      sub:,
+      aud:,
+      content_type: 'application/x-www-form-urlencoded',
+      grant_type: 'client_credentials',
+      client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+      exp: 5.minutes.from_now,
+      jti: SecureRandom.hex(32),
+      kid: nil
+    )
+      @encryption_method = encryption_method
+      @scope = scope
+      @iss = iss
+      @sub = sub
+      @aud = aud
+      @content_type = content_type
+      @grant_type = grant_type
+      @client_assertion_type = client_assertion_type
+      @exp = exp
+      @jti = jti
+      @kid = kid
+    end
+
+    def authorization_request_headers
+      {
+        content_type:,
+        accept: 'application/json'
+      }.compact
+    end
+
+    def authorization_request_query_values
+      {
+        'scope' => scope,
+        'grant_type' => grant_type,
+        'client_assertion_type' => client_assertion_type,
+        'client_assertion' => client_assertion.to_s
+      }.compact
+    end
+
+    def client_assertion
+      @client_assertion ||= ClientAssertionBuilder.build(
+          client_auth_encryption_method: encryption_method, 
+          iss: iss,
+          sub: sub,
+          aud: aud,
+          exp: exp.to_i,
+          jti: jti,
+          kid: kid
+          )
+    end
+
+    def authorization_request
+      uri = Addressable::URI.new
+      uri.query_values = authorization_request_query_values
+
+      { body: uri.query, headers: authorization_request_headers }
+    end
+  end
+end

data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb

@@ -0,0 +1,40 @@
+require_relative 'backend_services_authorization_request_builder'
+require_relative 'backend_services_authorization_group'
+
+module SMARTAppLaunch 
+  class BackendServicesAuthorizationRequestSuccessTest < Inferno::Test 
+    id :smart_backend_services_auth_request_success
+    title 'Authorization request succeeds when supplied correct information'
+    description <<~DESCRIPTION
+      The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token)
+      states "If the access token request is valid and authorized, the authorization server SHALL issue an access token in response."
+    DESCRIPTION
+
+    input :client_auth_encryption_method, 
+          :backend_services_requested_scope, 
+          :backend_services_client_id, 
+          :smart_token_url, 
+          :backend_services_jwks_kid
+
+    output :authentication_response
+
+    http_client :token_endpoint do
+      url :smart_token_url
+    end
+
+    run do
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
+                                                                scope: backend_services_requested_scope,
+                                                                iss: backend_services_client_id,
+                                                                sub: backend_services_client_id,
+                                                                aud: smart_token_url,
+                                                                kid: backend_services_jwks_kid)
+
+      authentication_response = post(**{ client: :token_endpoint }.merge(post_request_content))
+
+      assert_response_status([200, 201])
+
+      output authentication_response: authentication_response.response_body
+    end
+  end
+end

data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb

@@ -0,0 +1,40 @@
+require_relative 'backend_services_authorization_request_builder'
+
+module SMARTAppLaunch 
+  class BackendServicesAuthorizationResponseBodyTest < Inferno::Test 
+    id :smart_backend_services_auth_response_body
+    title 'Authorization request response body contains required information encoded in JSON'
+    description <<~DESCRIPTION
+      The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token)
+      states The access token response SHALL be a JSON object with the following properties:
+
+      | Token Property | Required? | Description |
+      | --- | --- | --- |
+      | `access_token` | required | The access token issued by the authorization server. |
+      | `token_type` | required | Fixed value: `bearer`. |
+      | `expires_in` | required | The lifetime in seconds of the access token. The recommended value is `300`, for a five-minute token lifetime. |
+      | `scope` | required | Scope of access authorized. Note that this can be different from the scopes requested by the app. |
+    DESCRIPTION
+
+    input :authentication_response
+    output :bearer_token
+
+    run do
+      skip_if authentication_response.blank?, 'No authentication response received.'
+
+      assert_valid_json(authentication_response)
+      response_body = JSON.parse(authentication_response)
+
+      access_token = response_body['access_token']
+      assert access_token.present?, 'Token response did not contain access_token as required'
+
+      output bearer_token: access_token
+
+      required_keys = ['token_type', 'expires_in', 'scope']
+
+      required_keys.each do |key|
+        assert response_body[key].present?, "Token response did not contain #{key} as required"
+      end
+    end
+  end
+end

data/lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb

@@ -0,0 +1,44 @@
+require_relative 'backend_services_authorization_request_builder'
+
+module SMARTAppLaunch 
+  class BackendServicesInvalidClientAssertionTest < Inferno::Test 
+    id :smart_backend_services_invalid_client_assertion
+    title 'Authorization request fails when supplied invalid client_assertion_type'
+    description <<~DESCRIPTION
+      The [SMART App Launch 2.0.0 IG specification for Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
+      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      token endpoint.
+      This includes the `client_assertion_type` parameter, where the value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
+
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      describes the proper response for an invalid request in the client credentials grant flow:
+
+      "If the request failed client authentication or is invalid, the authorization server returns an
+      error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
+    DESCRIPTION
+
+    input :client_auth_encryption_method, 
+          :backend_services_requested_scope, 
+          :backend_services_client_id, 
+          :smart_token_url, 
+          :backend_services_jwks_kid
+
+    http_client :token_endpoint do
+      url :smart_token_url
+    end
+
+    run do
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
+                                                                  scope: backend_services_requested_scope,
+                                                                  iss: backend_services_client_id,
+                                                                  sub: backend_services_client_id,
+                                                                  aud: smart_token_url,
+                                                                  client_assertion_type: 'not_an_assertion_type',
+                                                                  kid: backend_services_jwks_kid)
+
+      post(**{ client: :token_endpoint }.merge(post_request_content))
+
+      assert_response_status(400)
+    end 
+  end
+end

data/lib/smart_app_launch/backend_services_invalid_grant_type_test.rb

@@ -0,0 +1,44 @@
+require_relative 'backend_services_authorization_request_builder'
+
+module SMARTAppLaunch 
+  class BackendServicesInvalidGrantTypeTest < Inferno::Test 
+    id :smart_backend_services_invalid_grant_type
+    title 'Authorization request fails when client supplies invalid grant_type'
+    description <<~DESCRIPTION
+      The [SMART App Launch 2.0.0 IG section on Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
+      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      token endpoint.
+      This includes the `grant_type` parameter, where the value must be `client_credentials`.
+
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      describes the proper response for an invalid request in the client credentials grant flow:
+
+      "If the request failed client authentication or is invalid, the authorization server returns an
+      error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
+    DESCRIPTION
+
+    input :client_auth_encryption_method, 
+          :backend_services_requested_scope, 
+          :backend_services_client_id, 
+          :smart_token_url, 
+          :backend_services_jwks_kid
+
+    http_client :token_endpoint do
+      url :smart_token_url
+    end
+
+    run do
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
+                                                              scope: backend_services_requested_scope,
+                                                              iss: backend_services_client_id,
+                                                              sub: backend_services_client_id,
+                                                              aud: smart_token_url,
+                                                              grant_type: 'not_a_grant_type',
+                                                              kid: backend_services_jwks_kid)
+
+      post(**{ client: :token_endpoint }.merge(post_request_content))
+
+      assert_response_status(400)
+    end 
+  end
+end

data/lib/smart_app_launch/backend_services_invalid_jwt_test.rb

@@ -0,0 +1,55 @@
+require_relative 'backend_services_authorization_request_builder'
+
+module SMARTAppLaunch 
+  class BackendServicesInvalidJWTTest < Inferno::Test 
+    id :smart_backend_services_invalid_jwt
+    title 'Authorization request fails when client supplies invalid JWT token'
+    description <<~DESCRIPTION
+      The [SMART App Launch 2.0.0 IG section on Backend Services](https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1)
+      defines the required fields for the authorization request, made via HTTP POST to authorization 
+      token endpoint.
+      This includes the `client_assertion` parameter, where the value must be
+      a valid JWT as specified in 
+      [Asymmetric (public key) Client Authentication](https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint)
+      The JWT SHALL include the following claims, and SHALL be signed with the client’s private key.
+
+      | JWT Claim | Required? | Description |
+      | --- | --- | --- |
+      | `iss` | required | Issuer of the JWT -- the client's `client_id`, as determined during registration with the FHIR authorization server (note that this is the same as the value for the sub claim) |
+      | `sub` | required | The service's `client_id`, as determined during registration with the FHIR authorization server (note that this is the same as the value for the `iss` claim) |
+      | `aud` | required | The FHIR authorization server's "token URL" (the same URL to which this authentication JWT will be posted) |
+      | `exp` | required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future. |
+      | `jti` | required | A nonce string value that uniquely identifies this authentication JWT. |
+
+      The [OAuth 2.0 Authorization Framework Section 4.3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3.3) 
+      describes the proper response for an invalid request in the client credentials grant flow:
+
+      "If the request failed client authentication or is invalid, the authorization server returns an
+      error response as described in [Section 5.2](https://tools.ietf.org/html/rfc6749#section-5.2)."
+    DESCRIPTION
+
+    input :client_auth_encryption_method, 
+          :backend_services_requested_scope, 
+          :backend_services_client_id, 
+          :smart_token_url, 
+          :backend_services_jwks_kid
+
+    http_client :token_endpoint do
+      url :smart_token_url
+    end
+      
+    run do
+      post_request_content = BackendServicesAuthorizationRequestBuilder.build(encryption_method: client_auth_encryption_method,
+                                                                scope: backend_services_requested_scope,
+                                                                iss: backend_services_client_id,
+                                                                sub: backend_services_client_id,
+                                                                aud: smart_token_url,
+                                                                client_assertion_type: 'not_an_assertion_type',
+                                                                kid: backend_services_jwks_kid)
+
+      post(**{ client: :token_endpoint }.merge(post_request_content))
+
+      assert_response_status(400)
+    end 
+  end
+end

data/lib/smart_app_launch/client_assertion_builder.rb

@@ -16,7 +16,8 @@ module SMARTAppLaunch
                 :grant_type,
                 :iss,
                 :jti,
-                :sub
+                :sub,
+                :kid
 
     def initialize(
       client_auth_encryption_method:,
@@ -24,7 +25,8 @@ module SMARTAppLaunch
       sub:,
       aud:,
       exp: 5.minutes.from_now.to_i,
-      jti: SecureRandom.hex(32)
+      jti: SecureRandom.hex(32),
+      kid: nil
     )
       @client_auth_encryption_method = client_auth_encryption_method
       @iss = iss
@@ -35,29 +37,35 @@ module SMARTAppLaunch
       @client_assertion_type = client_assertion_type
       @exp = exp
       @jti = jti
+      @kid = kid
     end
 
     def private_key
-      @private_key ||=
-        JWKS.jwks
-          .find { |key| key[:key_ops]&.include?('sign') && key[:alg] == client_auth_encryption_method }
+      @private_key ||= JWKS.jwks
+        .select { |key| key[:key_ops]&.include?('sign') }
+        .select { |key| key[:alg] == client_auth_encryption_method }
+        .find { |key| !kid || key[:kid] == kid }
     end
 
     def jwt_payload
       { iss:, sub:, aud:, exp:, jti: }.compact
     end
 
-    def kid
-      private_key.kid
+    def signing_key
+      private_key()
+      if @private_key.nil?
+        raise Inferno::Exceptions::AssertionException, "No signing key found for inputs: encryption method = '#{client_auth_encryption_method}' and kid = '#{kid}'"
+      end
+      return @private_key.signing_key
     end
 
-    def signing_key
-      private_key.signing_key
+    def key_id
+      @private_key['kid']
     end
 
     def client_assertion
       @client_assertion ||=
-        JWT.encode jwt_payload, signing_key, client_auth_encryption_method, { alg: client_auth_encryption_method, kid:, typ: 'JWT' }
+        JWT.encode jwt_payload, signing_key, client_auth_encryption_method, { alg: client_auth_encryption_method, kid: key_id, typ: 'JWT' }
     end
   end
 end

data/lib/smart_app_launch/smart_stu2_suite.rb

@@ -6,7 +6,9 @@ require_relative 'discovery_stu2_group'
 require_relative 'standalone_launch_group_stu2'
 require_relative 'ehr_launch_group_stu2'
 require_relative 'openid_connect_group'
+require_relative 'token_introspection_group'
 require_relative 'token_refresh_group'
+require_relative 'backend_services_authorization_group'
 
 module SMARTAppLaunch
   class SMARTSTU2Suite < Inferno::TestSuite
@@ -55,6 +57,20 @@ module SMARTAppLaunch
       * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
     DESCRIPTION
 
+    input_instructions %(
+      When running tests at this level, the token introspection endpoint is not available as a manual input.
+      Instead, group 3 Token Introspection will assume the token introspection endpoint 
+      will be output from group 1 Standalone Launch tests, specifically the SMART On FHIR Discovery tests that query
+      the .well-known/smart-configuration endpoint. However, including the token introspection
+      endpoint as part of the well-known ouput is NOT required and is not formally checked in the SMART On FHIR Discovery
+      tests.  RFC-7662 on Token Introspection says that "The means by which the protected resource discovers the location of the introspection
+      endpoint are outside the scope of this specification" and the Token Introspection IG does not add any further
+      requirements to this.  
+
+      If the token introspection endpoint of the system under test is NOT available at .well-known/smart-configuration, 
+      please run the test groups individually and group 3 Token Introspection will include the introspection endpoint as a manual input.  
+    )
+
     group do
       title 'Standalone Launch'
       id :smart_full_standalone_launch
@@ -204,5 +220,25 @@ module SMARTAppLaunch
               }
             }
     end
+
+    group do
+      title 'Backend Services'
+      id :smart_backend_services
+
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client with the authorization services with the
+        following JWK Set URL:
+
+        * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+      INSTRUCTIONS
+
+      run_as_group
+
+      group from: :smart_discovery_stu2
+      group from: :backend_services_authorization
+    end
+
+    group from: :smart_token_introspection
+
   end
 end

data/lib/smart_app_launch/token_exchange_stu2_test.rb

@@ -14,25 +14,26 @@ module SMARTAppLaunch
     id :smart_token_exchange_stu2
 
     input :client_auth_encryption_method,
-          title: 'Encryption Method (Confidential Asymmetric Client Auth Only)',
-          type: 'radio',
-          default: 'ES384',
-          options: {
-            list_options: [
-              {
-                label: 'ES384',
-                value: 'ES384'
-              },
-              {
-                label: 'RS384',
-                value: 'RS384'
-              }
-            ]
+      title: 'Encryption Method (Confidential Asymmetric Client Auth Only)',
+      type: 'radio',
+      default: 'ES384',
+      options: {
+        list_options: [
+          {
+            label: 'ES384',
+            value: 'ES384'
+          },
+          {
+            label: 'RS384',
+            value: 'RS384'
           }
+        ]
+      }
 
     input :client_auth_type,
           title: 'Client Authentication Method',
           type: 'radio',
+          default: 'public',
           options: {
             list_options: [
               {

data/lib/smart_app_launch/token_exchange_test.rb

@@ -71,6 +71,8 @@ module SMARTAppLaunch
       output token_retrieval_time: Time.now.iso8601
 
       token_response_body = JSON.parse(request.response_body)
+
+
       output smart_credentials: {
                refresh_token: token_response_body['refresh_token'],
                access_token: token_response_body['access_token'],
@@ -80,6 +82,7 @@ module SMARTAppLaunch
                token_retrieval_time: token_retrieval_time,
                token_url: smart_token_url
              }.to_json
+      
     end
   end
 end

data/lib/smart_app_launch/token_introspection_access_token_group.rb

@@ -0,0 +1,26 @@
+require_relative 'standalone_launch_group_stu2'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionAccessTokenGroup < Inferno::TestGroup
+    title 'Request New Access Token to Introspect'
+    run_as_group
+
+    id :smart_token_introspection_access_token_group
+
+    description %(
+      These tests are repeated from the Standalone Launch tests in order to receive a new, active access token that
+      will be provided for token introspection. This test group may be skipped if the tester can obtain an access token
+      __and__ the contents of the access token response body by some other means.
+
+      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
+
+    )
+    
+    input_instructions %(
+      Register Inferno as a Standalone SMART App and provide the registration details below.
+    )
+    
+    group from: :smart_discovery_stu2
+    group from: :smart_standalone_launch_stu2
+  end
+end

data/lib/smart_app_launch/token_introspection_group.rb

@@ -0,0 +1,69 @@
+require_relative 'token_introspection_access_token_group'
+require_relative 'token_introspection_response_group'
+require_relative 'token_introspection_request_group'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionGroup < Inferno::TestGroup
+    title 'Token Introspection'
+    id :smart_token_introspection
+    description %(
+      # Background
+
+      OAuth 2.0 Token introspection, as described in [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662), allows
+      an authorized resource server to query an OAuth 2.0 authorization server for metadata on a token.  The
+      [SMART App Launch STU2 Implementation Guide Section on Token Introspection](https://hl7.org/fhir/smart-app-launch/STU2/token-introspection.html)
+      states that "SMART on FHIR EHRs SHOULD support token introspection, which allows a broader ecosystem of resource servers
+      to leverage authorization decisions managed by a single authorization server."
+
+      # Test Methodology
+
+      In these tests, Inferno acts as an authorized resource server that queries the authorization server about an access
+      token, rather than a client to a FHIR resource server as in the previous SMART App Launch tests.
+      Ideally, Inferno should be registered with the authorization server as an authorized resource server
+      capable of accessing the token introspection endpoint through client credentials, per the SMART IG recommendations.
+      However, the SMART IG only formally REQUIRES "some form of authorization" to access
+      the token introspection endpoint and does not specifiy any one specific approach.  As such, the token introspection tests are
+      broken up into three groups that each complete a discrete step in the token introspection process:
+
+      1. **Request Access Token Group** - optional but recommended, repeats a subset of Standalone Launch tests
+        in order to receive a new access token with an authorization code grant.  If skipped, testers will need to
+          obtain an access token out-of-band and manually provide values from the access token response as inputs to
+          the Validate Token Response group.
+      2. **Issue Token Introspection Request Group** - optional but recommended, completes the introspection requests.
+      If skipped, testers will need to complete an introspection request out-of-band and manually provide the introspection
+      responses as inputs to the Validate Token Response group.
+      3. **Validate Token Introspection Response Group** - required, validates the contents of the introspection responses.
+
+      Running all three test groups in order is the simplest and is highly recommended if the environment under test
+      can support it, as outputs from one group will feed the inputs of the next group. However, test groups can be run
+      independently if needed.
+
+      See the individual test groups for more details and guidance.
+    )
+    group from: :smart_token_introspection_access_token_group
+    group from: :smart_token_introspection_request_group
+    group from: :smart_token_introspection_response_group
+
+    input_order :url, :standalone_client_id, :standalone_client_secret,
+                :authorization_method, :use_pkce, :pkce_code_challenge_method,
+                :standalone_requested_scopes, :client_auth_encryption_method,
+                :client_auth_type, :custom_authorization_header,
+                :optional_introspection_request_params
+    input_instructions %(
+      Executing tests at this level will run all three Token Introspection groups back-to-back.  If test groups need
+      to be run independently, exit this window and select a specific test group instead.
+
+      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
+
+      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
+      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      server to complete the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must
+      URI-encode any appropriate values.
+    )
+
+  end
+end

data/lib/smart_app_launch/token_introspection_request_group.rb

@@ -0,0 +1,122 @@
+require_relative 'token_exchange_test'
+require_relative 'token_refresh_body_test'
+require_relative 'well_known_endpoint_test'
+require_relative 'standalone_launch_group'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionRequestGroup < Inferno::TestGroup
+    title 'Issue Token Introspection Request'
+    run_as_group
+
+    id :smart_token_introspection_request_group
+    description %(
+      This group of tests executes the token introspection requests and ensures the correct HTTP response is returned
+      but does not validate the contents of the token introspection response. 
+
+      If Inferno cannot reasonably be configured to be authorized to access the token introspection endpoint, these tests 
+      can be skipped.  Instead, an out-of-band token introspection request must be completed and the response body
+      manually provided as input for the Validate Introspection Response test group.
+      )
+
+    input_instructions %(
+      If the Request New Access Token group was executed, the access token input will auto-populate with that token. 
+      Otherwise an active access token needs to be obtained out-of-band and input.  
+        
+      Per [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2), "the definition of an active token is 
+      currently dependent upon the authorization server, but this is commonly a token that has been issued by this 
+      authorization server, is not expired, has not been revoked, and is valid for use at the protected resource making 
+      the introspection call."
+
+      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
+      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      server to complete the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must URI-encode any appropriate values.
+    )
+
+    input :well_known_introspection_url, 
+          title: 'Token Introspection Endpoint URL', 
+          description: 'The complete URL of the token introspection endpoint.'
+
+    input :custom_authorization_header,
+          title: 'HTTP Authorization Header for Introspection Request',
+          type: 'textarea',
+          optional: true,
+          description: %(
+            Include header name, auth scheme, and auth parameters.
+            Ex: 'Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW' 
+            )
+
+    input :optional_introspection_request_params,
+          title: 'Additional Introspection Request Parameters',
+          type: 'textarea',
+          optional: true,
+          description: %(
+            Any additional parameters to append to the request body, separated by &. Example: 'param1=abc&param2=def'  
+          )
+
+    test do
+      title 'Token introspection endpoint returns a response when provided an active token'
+      description %(
+      This test will execute a token introspection request for an active token and ensure a 200 status and valid JSON
+      body are returned in the response. 
+      )
+
+      input :standalone_access_token, 
+            title: 'Access Token',
+            description: 'The access token to be introspected. MUST be active.'
+
+
+      output :active_token_introspection_response_body
+
+      run do
+
+        # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
+        skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
+
+        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        body = "token=#{standalone_access_token}"
+
+        if custom_authorization_header.present?
+          parsed_header = custom_authorization_header.split(':', 2)
+          assert parsed_header.length == 2, "Incorrect custom HTTP header format input, expected: '<header name>: <header value>'"
+          headers[parsed_header[0]] = parsed_header[1].strip
+        end
+
+        if optional_introspection_request_params.present?
+          body += "&#{optional_introspection_request_params}"
+        end
+
+        post(well_known_introspection_url, body: body, headers: headers)
+
+        assert_response_status(200)
+        output active_token_introspection_response_body: request.response_body
+      end
+    
+    end
+
+    test do 
+      title 'Token introspection endpoint returns a response when provided an invalid token'
+      description %(
+        This test will execute a token introspection request for an invalid token and ensure a 200 status and valid JSON
+        body are returned in response. 
+      )
+
+      output :invalid_token_introspection_response_body
+      run do
+
+        # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
+        skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
+
+        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        body = "token=invalid_token_value"
+        post(well_known_introspection_url, body: body, headers: headers)
+        
+        assert_response_status(200)
+        output invalid_token_introspection_response_body: request.response_body
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_introspection_response_group.rb

@@ -0,0 +1,191 @@
+require_relative 'token_introspection_request_group'
+require_relative 'token_exchange_test'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionResponseGroup < Inferno::TestGroup
+    title 'Validate Token Introspection Response'
+    run_as_group
+
+    id :smart_token_introspection_response_group
+    description %(
+      This group of tests validates the contents of the token introspection response by comparing the fields and/or
+      values in the token introspection response to the fields and/or values of the original access token response
+      in which the access token was given to the client.
+      )
+
+      input_instructions %(
+        There are two categories of input for this test group: 
+
+        1. The access token response values, which will dictate what the tests will expect to find in the token
+        introspection response.  If the Request New Access Token group was run, these inputs will auto-populate.
+        
+        2. The token introspection response bodies. If the Issue Introspection Request test group was run, these will
+        auto-populate; otherwise, the tester will need to an run out-of-band INTROSPECTION requests for a. An ACTIVE
+        access token, AND b. An INACTIVE OR INVALID token
+
+        See [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2) for details on active vs inactive tokens.
+      )
+      
+    test do 
+      title 'Token introspection response for an active token contains required fields'
+
+      description %(
+        This test will check whether the metadata in the token introspection response is correct for an active token and
+        that the response data matches the data in the original access token and/or access token response from the
+        authorization server, including the following:
+
+        Required:
+        * `active` claim is set to true
+        * `scope`, `client_id`, and `exp` claim(s) match between introspection response and access token
+
+        It is not possible to know what the expected value for `exp` is in advance, so Inferno tests that the claim is
+        present and represents a time greater than or equal to 10 minutes in the past. 
+
+        Conditionally Required:
+        * IF launch context parameter(s) included in access token, introspection response includes claim(s) for 
+        launch context parameter(s) 
+          * Parameters checked for are `patient` and `encounter`
+        * IF identity token was included as part of access token response, `iss` and `sub` claims are present in the
+        introspection response and match those of the orignal ID token
+
+        Optional but Recommended:
+        * IF identity token was included as part of access token response, `fhirUser` claim SHOULD be present in 
+        introspection response and should match the claim in the ID token
+      )
+
+      input :standalone_client_id,
+            title: 'Access Token client_id',
+            description: 'ID of the client that requested the access token being introspected'
+
+
+      input :standalone_received_scopes,
+            title: 'Expected Introspection Response Value: scope',
+            description: 'A space-separated list of scopes from the original access token response body'
+      
+      input :standalone_id_token,
+            title: 'Access Token Response: id_token',
+            type: 'textarea',
+            optional: true,
+            description: 'The ID token from the original access token response body, IF it was present'
+
+      input :standalone_patient_id,
+            title: 'Expected Introspection Response for Patient Launch Context Parameter',
+            optional: true,
+            description: 'The value for patient launch context from the original access token response body, IF it was present'
+
+      input :standalone_encounter_id,
+            title: 'Expected Introspection Response for Encounter Launch Context Parameter',
+            optional: true,
+            description: 'The value for encounter launch context from the original access token response body, IF it was present'
+
+      input :active_token_introspection_response_body,
+            title: 'Active Token Introspection Response Body',
+            type: 'textarea',
+            description: 'The JSON body of the token introspection response when provided an ACTIVE token'
+
+      def get_json_claim_value(json_response, claim_key)
+        claim_value = json_response[claim_key]
+        assert claim_value != nil, "Failure: introspection response has no claim for '#{claim_key}'"
+        return claim_value
+      end
+      
+      def assert_introspection_response_match(json_response, claim_key, expected_value)
+        expected_value = expected_value.strip
+        claim_value = get_json_claim_value(json_response, claim_key)
+        claim_value = claim_value.strip
+        assert claim_value.eql?(expected_value), 
+            "Failure: expected introspection response value for '#{claim_key}' to match expected value '#{expected_value}'"
+      end
+
+      run do
+        skip_if active_token_introspection_response_body.nil?, 'No introspection response available to validate.'
+        assert_valid_json(active_token_introspection_response_body)
+        active_introspection_response_body_parsed = JSON.parse(active_token_introspection_response_body)
+
+        # Required Fields
+        assert active_introspection_response_body_parsed['active'] == true, "Failure: expected introspection response for 'active' to be Boolean value true for valid token"
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'client_id', standalone_client_id)
+
+        response_scope_value = get_json_claim_value(active_introspection_response_body_parsed, 'scope')
+
+        # splitting contents and comparing values allows a scope lists with the same contents but different orders to still pass
+        response_scopes_split = response_scope_value.split()
+        expected_scopes_split = standalone_received_scopes.split()
+
+        assert response_scopes_split.length() == expected_scopes_split.length(), 
+          "Failure: number of scopes in introspection response, #{response_scopes_split.length()}, does not match number of scopes in access token response, #{expected_scopes_split.length()}"
+
+        expected_scopes_split.each do |scope|
+          assert response_scopes_split.include?(scope), "Failure: expected scope '#{scope}' not present in introspection response scopes"
+        end
+
+        # Cannot verify exact value for exp, so instead ensure its value represents a time >= 10 minutes in the past 
+        exp = active_introspection_response_body_parsed['exp']
+        assert exp != nil, "Failure: introspection response has no claim for 'exp'"
+        current_time = Time.now.to_i 
+        assert exp.to_i >= current_time - 600, "Failure: expired token, exp claim of #{exp} for active token is more than 10 minutes in the past"
+        
+        # Conditional fields
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'patient', standalone_patient_id) if standalone_patient_id.present?
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'encounter', standalone_encounter_id) if standalone_encounter_id.present?
+
+        # ID Token Fields
+        if standalone_id_token.present?
+          id_payload, id_header =
+          JWT.decode(
+            standalone_id_token,
+            nil,
+            false
+          )
+         
+          # Required fields if ID token present
+          id_token_iss = id_payload['iss']
+          id_token_sub = id_payload['sub']
+
+          assert id_token_iss != nil, "Failure: ID token from access token response does not have 'iss' claim"
+          assert id_token_sub != nil, "Failure: ID token from access token response does not have 'sub' claim"
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'iss', id_token_iss)
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'sub', id_token_sub)
+
+          # fhirUser not required but recommended
+          fhirUser_id_claim = id_payload['fhirUser']
+          fhirUser_intr_claim = active_introspection_response_body_parsed['fhirUser']
+
+          info do 
+            assert fhirUser_intr_claim != nil, "Introspection response SHOULD include claim for fhirUser because ID token present in access token response" if fhirUser_id_claim != nil
+            assert fhirUser_intr_claim.eql?(fhirUser_id_claim), "Introspection response claim for fhirUser SHOULD match value in ID token" if fhirUser_id_claim != nil
+          end
+        end
+      end
+    end
+
+    test do
+      title 'Token introspection response for an invalid token contains required fields'
+
+      description %(
+        From [RFC7662 OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2):
+        "If the introspection call is properly authorized but the token is not
+        active, does not exist on this server, or the protected resource is
+        not allowed to introspect this particular token, then the
+        authorization server MUST return an introspection response with the
+        "active" field set to "false".  Note that to avoid disclosing too
+        much of the authorization server's state to a third party, the
+        authorization server SHOULD NOT include any additional information
+        about an inactive token, including why the token is inactive."
+      )
+
+      input :invalid_token_introspection_response_body,
+            title: 'Invalid Token Introspection Response Body',
+            type: 'textarea',
+            description: 'The JSON body of the token introspection response when provided an INVALID token'
+
+      run do
+        skip_if invalid_token_introspection_response_body.nil?, 'No invalid introspection response available to validate.'
+        assert_valid_json(invalid_token_introspection_response_body)
+        invalid_token_introspection_response_body_parsed = JSON.parse(invalid_token_introspection_response_body)
+        assert invalid_token_introspection_response_body_parsed['active'] == false, "Failure: expected introspection response for 'active' to be Boolean value false for invalid token"
+        assert invalid_token_introspection_response_body_parsed.size == 1, "Failure: expected only 'active' field to be present in introspection response for invalid token"
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_payload_validation.rb

@@ -3,6 +3,69 @@ module SMARTAppLaunch
     STRING_FIELDS = ['access_token', 'token_type', 'scope', 'refresh_token'].freeze
     NUMERIC_FIELDS = ['expires_in'].freeze
 
+    # All resource types from DSTU3, STU3, R4, R4B, and R5
+    FHIR_RESOURCE_TYPES = [
+      "Account", "ActivityDefinition", "ActorDefinition",
+      "AdministrableProductDefinition", "AdverseEvent", "AllergyIntolerance",
+      "Appointment", "AppointmentResponse", "ArtifactAssessment", "AuditEvent",
+      "Basic", "Binary", "BiologicallyDerivedProduct",
+      "BiologicallyDerivedProductDispense", "BodySite", "BodyStructure",
+      "Bundle", "CapabilityStatement", "CarePlan", "CareTeam", "CatalogEntry",
+      "ChargeItem", "ChargeItemDefinition", "Citation", "Claim",
+      "ClaimResponse", "ClinicalImpression", "ClinicalUseDefinition",
+      "CodeSystem", "Communication", "CommunicationRequest",
+      "CompartmentDefinition", "Composition", "ConceptMap", "Condition",
+      "ConditionDefinition", "Conformance", "Consent", "Contract", "Coverage",
+      "CoverageEligibilityRequest", "CoverageEligibilityResponse",
+      "DataElement", "DetectedIssue", "Device", "DeviceAssociation",
+      "DeviceComponent", "DeviceDefinition", "DeviceDispense", "DeviceMetric",
+      "DeviceRequest", "DeviceUsage", "DeviceUseRequest", "DeviceUseStatement",
+      "DiagnosticOrder", "DiagnosticReport", "DocumentManifest",
+      "DocumentReference", "EffectEvidenceSynthesis", "EligibilityRequest",
+      "EligibilityResponse", "Encounter", "EncounterHistory", "Endpoint",
+      "EnrollmentRequest", "EnrollmentResponse", "EpisodeOfCare",
+      "EventDefinition", "Evidence", "EvidenceReport", "EvidenceVariable",
+      "ExampleScenario", "ExpansionProfile", "ExplanationOfBenefit",
+      "FamilyMemberHistory", "Flag", "FormularyItem", "GenomicStudy", "Goal",
+      "GraphDefinition", "Group", "GuidanceResponse", "HealthcareService",
+      "ImagingManifest", "ImagingObjectSelection", "ImagingSelection",
+      "ImagingStudy", "Immunization", "ImmunizationEvaluation",
+      "ImmunizationRecommendation", "ImplementationGuide", "Ingredient",
+      "InsurancePlan", "InventoryItem", "InventoryReport", "Invoice", "Library",
+      "Linkage", "List", "Location", "ManufacturedItemDefinition", "Measure",
+      "MeasureReport", "Media", "Medication", "MedicationAdministration",
+      "MedicationDispense", "MedicationKnowledge", "MedicationOrder",
+      "MedicationRequest", "MedicationStatement", "MedicinalProduct",
+      "MedicinalProductAuthorization", "MedicinalProductContraindication",
+      "MedicinalProductDefinition", "MedicinalProductIndication",
+      "MedicinalProductIngredient", "MedicinalProductInteraction",
+      "MedicinalProductManufactured", "MedicinalProductPackaged",
+      "MedicinalProductPharmaceutical", "MedicinalProductUndesirableEffect",
+      "MessageDefinition", "MessageHeader", "MolecularSequence", "NamingSystem",
+      "NutritionIntake", "NutritionOrder", "NutritionProduct", "Observation",
+      "ObservationDefinition", "OperationDefinition", "OperationOutcome",
+      "Order", "OrderResponse", "Organization", "OrganizationAffiliation",
+      "PackagedProductDefinition", "Patient", "PaymentNotice",
+      "PaymentReconciliation", "Permission", "Person", "PlanDefinition",
+      "Practitioner", "PractitionerRole", "Procedure", "ProcedureRequest",
+      "ProcessRequest", "ProcessResponse", "Provenance", "Questionnaire",
+      "QuestionnaireResponse", "ReferralRequest", "RegulatedAuthorization",
+      "RelatedPerson", "RequestGroup", "RequestOrchestration", "Requirements",
+      "ResearchDefinition", "ResearchElementDefinition", "ResearchStudy",
+      "ResearchSubject", "RiskAssessment", "RiskEvidenceSynthesis", "Schedule",
+      "SearchParameter", "Sequence", "ServiceDefinition", "ServiceRequest",
+      "Slot", "Specimen", "SpecimenDefinition", "StructureDefinition",
+      "StructureMap", "Subscription", "SubscriptionStatus", "SubscriptionTopic",
+      "Substance", "SubstanceDefinition", "SubstanceNucleicAcid",
+      "SubstancePolymer", "SubstanceProtein", "SubstanceReferenceInformation",
+      "SubstanceSourceMaterial", "SubstanceSpecification", "SupplyDelivery",
+      "SupplyRequest", "Task", "TerminologyCapabilities", "TestPlan",
+      "TestReport", "TestScript", "Transport", "ValueSet", "VerificationResult",
+      "VisionPrescription"
+    ].to_set.freeze
+
+    FHIR_ID_REGEX = /[A-Za-z0-9\-\.]{1,64}(\/_history\/[A-Za-z0-9\-\.]{1,64})?(#[A-Za-z0-9\-\.]{1,64})?/.freeze
+
     def validate_required_fields_present(body, required_fields)
       missing_fields = required_fields.select { |field| body[field].blank? }
       missing_fields_string = missing_fields.map { |field| "`#{field}`" }.join(', ')
@@ -49,5 +112,25 @@ module SMARTAppLaunch
                  "Expected `#{field}` to be a Numeric, but found #{body[field].class.name}"
         end
     end
+
+    def validate_fhir_context(fhir_context)
+      return if fhir_context.nil?
+
+      assert fhir_context.is_a?(Array), "`fhirContext` field is a #{fhir_context.class.name}, but should be an Array"
+
+      fhir_context.each do |reference|
+        assert reference.is_a?(String), "`#{reference.inspect}` is not a string"
+      end
+
+      fhir_context.each do |reference|
+        assert !reference.start_with?('http'), "`#{reference}` is not a relative reference"
+
+        resource_type, id = reference.split('/')
+        assert FHIR_RESOURCE_TYPES.include?(resource_type),
+               "`#{resource_type}` is not a valid FHIR resource type"
+
+        assert id.match?(FHIR_ID_REGEX), "`#{id}` is not a valid FHIR id"
+      end
+    end
   end
 end

data/lib/smart_app_launch/token_response_body_test.rb

@@ -11,6 +11,8 @@ module SMARTAppLaunch
       has been denied. `access_token`, `token_type`, and `scope` are required.
       `token_type` must be Bearer. `expires_in` is required for token
       refreshes.
+
+      The format of the optional `fhirContext` field is validated if present.
     )
     id :smart_token_response_body
 
@@ -48,6 +50,8 @@ module SMARTAppLaunch
       assert access_token.present?, 'Token response did not contain an access token'
       assert token_response_body['token_type']&.casecmp('Bearer')&.zero?,
              '`token_type` field must have a value of `Bearer`'
+
+      validate_fhir_context(token_response_body['fhirContext'])
     end
   end
 end

data/lib/smart_app_launch/version.rb

@@ -1,3 +1,3 @@
 module SMARTAppLaunch
-  VERSION = '0.3.0'.freeze
+  VERSION = '0.4.1'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-08-08 00:00:00.000000000 Z
+date: 2024-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -24,20 +24,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.4.2
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.15.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.15.3
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.6'
 - !ruby/object:Gem::Dependency
   name: tls_test_kit
   requirement: !ruby/object:Gem::Requirement
@@ -134,6 +148,13 @@ files:
 - lib/smart_app_launch/app_launch_test.rb
 - lib/smart_app_launch/app_redirect_test.rb
 - lib/smart_app_launch/app_redirect_test_stu2.rb
+- lib/smart_app_launch/backend_services_authorization_group.rb
+- lib/smart_app_launch/backend_services_authorization_request_builder.rb
+- lib/smart_app_launch/backend_services_authorization_request_success_test.rb
+- lib/smart_app_launch/backend_services_authorization_response_body_test.rb
+- lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb
+- lib/smart_app_launch/backend_services_invalid_grant_type_test.rb
+- lib/smart_app_launch/backend_services_invalid_jwt_test.rb
 - lib/smart_app_launch/client_assertion_builder.rb
 - lib/smart_app_launch/code_received_test.rb
 - lib/smart_app_launch/discovery_stu1_group.rb
@@ -158,6 +179,10 @@ files:
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
 - lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
+- lib/smart_app_launch/token_introspection_access_token_group.rb
+- lib/smart_app_launch/token_introspection_group.rb
+- lib/smart_app_launch/token_introspection_request_group.rb
+- lib/smart_app_launch/token_introspection_response_group.rb
 - lib/smart_app_launch/token_payload_validation.rb
 - lib/smart_app_launch/token_refresh_body_test.rb
 - lib/smart_app_launch/token_refresh_group.rb