smart_app_launch_test_kit 0.4.2 → 0.4.4

data/lib/smart_app_launch/token_payload_validation.rb

@@ -5,66 +5,66 @@ module SMARTAppLaunch
 
     # All resource types from DSTU3, STU3, R4, R4B, and R5
     FHIR_RESOURCE_TYPES = [
-      "Account", "ActivityDefinition", "ActorDefinition",
-      "AdministrableProductDefinition", "AdverseEvent", "AllergyIntolerance",
-      "Appointment", "AppointmentResponse", "ArtifactAssessment", "AuditEvent",
-      "Basic", "Binary", "BiologicallyDerivedProduct",
-      "BiologicallyDerivedProductDispense", "BodySite", "BodyStructure",
-      "Bundle", "CapabilityStatement", "CarePlan", "CareTeam", "CatalogEntry",
-      "ChargeItem", "ChargeItemDefinition", "Citation", "Claim",
-      "ClaimResponse", "ClinicalImpression", "ClinicalUseDefinition",
-      "CodeSystem", "Communication", "CommunicationRequest",
-      "CompartmentDefinition", "Composition", "ConceptMap", "Condition",
-      "ConditionDefinition", "Conformance", "Consent", "Contract", "Coverage",
-      "CoverageEligibilityRequest", "CoverageEligibilityResponse",
-      "DataElement", "DetectedIssue", "Device", "DeviceAssociation",
-      "DeviceComponent", "DeviceDefinition", "DeviceDispense", "DeviceMetric",
-      "DeviceRequest", "DeviceUsage", "DeviceUseRequest", "DeviceUseStatement",
-      "DiagnosticOrder", "DiagnosticReport", "DocumentManifest",
-      "DocumentReference", "EffectEvidenceSynthesis", "EligibilityRequest",
-      "EligibilityResponse", "Encounter", "EncounterHistory", "Endpoint",
-      "EnrollmentRequest", "EnrollmentResponse", "EpisodeOfCare",
-      "EventDefinition", "Evidence", "EvidenceReport", "EvidenceVariable",
-      "ExampleScenario", "ExpansionProfile", "ExplanationOfBenefit",
-      "FamilyMemberHistory", "Flag", "FormularyItem", "GenomicStudy", "Goal",
-      "GraphDefinition", "Group", "GuidanceResponse", "HealthcareService",
-      "ImagingManifest", "ImagingObjectSelection", "ImagingSelection",
-      "ImagingStudy", "Immunization", "ImmunizationEvaluation",
-      "ImmunizationRecommendation", "ImplementationGuide", "Ingredient",
-      "InsurancePlan", "InventoryItem", "InventoryReport", "Invoice", "Library",
-      "Linkage", "List", "Location", "ManufacturedItemDefinition", "Measure",
-      "MeasureReport", "Media", "Medication", "MedicationAdministration",
-      "MedicationDispense", "MedicationKnowledge", "MedicationOrder",
-      "MedicationRequest", "MedicationStatement", "MedicinalProduct",
-      "MedicinalProductAuthorization", "MedicinalProductContraindication",
-      "MedicinalProductDefinition", "MedicinalProductIndication",
-      "MedicinalProductIngredient", "MedicinalProductInteraction",
-      "MedicinalProductManufactured", "MedicinalProductPackaged",
-      "MedicinalProductPharmaceutical", "MedicinalProductUndesirableEffect",
-      "MessageDefinition", "MessageHeader", "MolecularSequence", "NamingSystem",
-      "NutritionIntake", "NutritionOrder", "NutritionProduct", "Observation",
-      "ObservationDefinition", "OperationDefinition", "OperationOutcome",
-      "Order", "OrderResponse", "Organization", "OrganizationAffiliation",
-      "PackagedProductDefinition", "Patient", "PaymentNotice",
-      "PaymentReconciliation", "Permission", "Person", "PlanDefinition",
-      "Practitioner", "PractitionerRole", "Procedure", "ProcedureRequest",
-      "ProcessRequest", "ProcessResponse", "Provenance", "Questionnaire",
-      "QuestionnaireResponse", "ReferralRequest", "RegulatedAuthorization",
-      "RelatedPerson", "RequestGroup", "RequestOrchestration", "Requirements",
-      "ResearchDefinition", "ResearchElementDefinition", "ResearchStudy",
-      "ResearchSubject", "RiskAssessment", "RiskEvidenceSynthesis", "Schedule",
-      "SearchParameter", "Sequence", "ServiceDefinition", "ServiceRequest",
-      "Slot", "Specimen", "SpecimenDefinition", "StructureDefinition",
-      "StructureMap", "Subscription", "SubscriptionStatus", "SubscriptionTopic",
-      "Substance", "SubstanceDefinition", "SubstanceNucleicAcid",
-      "SubstancePolymer", "SubstanceProtein", "SubstanceReferenceInformation",
-      "SubstanceSourceMaterial", "SubstanceSpecification", "SupplyDelivery",
-      "SupplyRequest", "Task", "TerminologyCapabilities", "TestPlan",
-      "TestReport", "TestScript", "Transport", "ValueSet", "VerificationResult",
-      "VisionPrescription"
+      'Account', 'ActivityDefinition', 'ActorDefinition',
+      'AdministrableProductDefinition', 'AdverseEvent', 'AllergyIntolerance',
+      'Appointment', 'AppointmentResponse', 'ArtifactAssessment', 'AuditEvent',
+      'Basic', 'Binary', 'BiologicallyDerivedProduct',
+      'BiologicallyDerivedProductDispense', 'BodySite', 'BodyStructure',
+      'Bundle', 'CapabilityStatement', 'CarePlan', 'CareTeam', 'CatalogEntry',
+      'ChargeItem', 'ChargeItemDefinition', 'Citation', 'Claim',
+      'ClaimResponse', 'ClinicalImpression', 'ClinicalUseDefinition',
+      'CodeSystem', 'Communication', 'CommunicationRequest',
+      'CompartmentDefinition', 'Composition', 'ConceptMap', 'Condition',
+      'ConditionDefinition', 'Conformance', 'Consent', 'Contract', 'Coverage',
+      'CoverageEligibilityRequest', 'CoverageEligibilityResponse',
+      'DataElement', 'DetectedIssue', 'Device', 'DeviceAssociation',
+      'DeviceComponent', 'DeviceDefinition', 'DeviceDispense', 'DeviceMetric',
+      'DeviceRequest', 'DeviceUsage', 'DeviceUseRequest', 'DeviceUseStatement',
+      'DiagnosticOrder', 'DiagnosticReport', 'DocumentManifest',
+      'DocumentReference', 'EffectEvidenceSynthesis', 'EligibilityRequest',
+      'EligibilityResponse', 'Encounter', 'EncounterHistory', 'Endpoint',
+      'EnrollmentRequest', 'EnrollmentResponse', 'EpisodeOfCare',
+      'EventDefinition', 'Evidence', 'EvidenceReport', 'EvidenceVariable',
+      'ExampleScenario', 'ExpansionProfile', 'ExplanationOfBenefit',
+      'FamilyMemberHistory', 'Flag', 'FormularyItem', 'GenomicStudy', 'Goal',
+      'GraphDefinition', 'Group', 'GuidanceResponse', 'HealthcareService',
+      'ImagingManifest', 'ImagingObjectSelection', 'ImagingSelection',
+      'ImagingStudy', 'Immunization', 'ImmunizationEvaluation',
+      'ImmunizationRecommendation', 'ImplementationGuide', 'Ingredient',
+      'InsurancePlan', 'InventoryItem', 'InventoryReport', 'Invoice', 'Library',
+      'Linkage', 'List', 'Location', 'ManufacturedItemDefinition', 'Measure',
+      'MeasureReport', 'Media', 'Medication', 'MedicationAdministration',
+      'MedicationDispense', 'MedicationKnowledge', 'MedicationOrder',
+      'MedicationRequest', 'MedicationStatement', 'MedicinalProduct',
+      'MedicinalProductAuthorization', 'MedicinalProductContraindication',
+      'MedicinalProductDefinition', 'MedicinalProductIndication',
+      'MedicinalProductIngredient', 'MedicinalProductInteraction',
+      'MedicinalProductManufactured', 'MedicinalProductPackaged',
+      'MedicinalProductPharmaceutical', 'MedicinalProductUndesirableEffect',
+      'MessageDefinition', 'MessageHeader', 'MolecularSequence', 'NamingSystem',
+      'NutritionIntake', 'NutritionOrder', 'NutritionProduct', 'Observation',
+      'ObservationDefinition', 'OperationDefinition', 'OperationOutcome',
+      'Order', 'OrderResponse', 'Organization', 'OrganizationAffiliation',
+      'PackagedProductDefinition', 'Patient', 'PaymentNotice',
+      'PaymentReconciliation', 'Permission', 'Person', 'PlanDefinition',
+      'Practitioner', 'PractitionerRole', 'Procedure', 'ProcedureRequest',
+      'ProcessRequest', 'ProcessResponse', 'Provenance', 'Questionnaire',
+      'QuestionnaireResponse', 'ReferralRequest', 'RegulatedAuthorization',
+      'RelatedPerson', 'RequestGroup', 'RequestOrchestration', 'Requirements',
+      'ResearchDefinition', 'ResearchElementDefinition', 'ResearchStudy',
+      'ResearchSubject', 'RiskAssessment', 'RiskEvidenceSynthesis', 'Schedule',
+      'SearchParameter', 'Sequence', 'ServiceDefinition', 'ServiceRequest',
+      'Slot', 'Specimen', 'SpecimenDefinition', 'StructureDefinition',
+      'StructureMap', 'Subscription', 'SubscriptionStatus', 'SubscriptionTopic',
+      'Substance', 'SubstanceDefinition', 'SubstanceNucleicAcid',
+      'SubstancePolymer', 'SubstanceProtein', 'SubstanceReferenceInformation',
+      'SubstanceSourceMaterial', 'SubstanceSpecification', 'SupplyDelivery',
+      'SupplyRequest', 'Task', 'TerminologyCapabilities', 'TestPlan',
+      'TestReport', 'TestScript', 'Transport', 'ValueSet', 'VerificationResult',
+      'VisionPrescription'
     ].to_set.freeze
 
-    FHIR_ID_REGEX = /[A-Za-z0-9\-\.]{1,64}(\/_history\/[A-Za-z0-9\-\.]{1,64})?(#[A-Za-z0-9\-\.]{1,64})?/.freeze
+    FHIR_ID_REGEX = %r{[A-Za-z0-9\-\.]{1,64}(/_history/[A-Za-z0-9\-\.]{1,64})?(#[A-Za-z0-9\-\.]{1,64})?}
 
     def validate_required_fields_present(body, required_fields)
       missing_fields = required_fields.select { |field| body[field].blank? }
@@ -93,7 +93,7 @@ module SMARTAppLaunch
 
     def validate_scope_subset(received_scopes, original_scopes)
       extra_scopes = received_scopes.split - original_scopes.split
-      assert extra_scopes.empty?, "Token response contained scopes which are not a subset of the scope granted to the "\
+      assert extra_scopes.empty?, 'Token response contained scopes which are not a subset of the scope granted to the ' \
                                   "original access token: #{extra_scopes.join(', ')}"
     end
 
@@ -124,7 +124,6 @@ module SMARTAppLaunch
 
       fhir_context.each do |reference|
         assert !reference.start_with?('http'), "`#{reference}` is not a relative reference"
-
         resource_type, id = reference.split('/')
         assert FHIR_RESOURCE_TYPES.include?(resource_type),
                "`#{resource_type}` is not a valid FHIR resource type"
@@ -132,5 +131,75 @@ module SMARTAppLaunch
         assert id.match?(FHIR_ID_REGEX), "`#{id}` is not a valid FHIR id"
       end
     end
+
+    def check_fhir_context_reference(reference)
+      assert reference.is_a?(String), "`#{reference.inspect}` is not a String"
+      assert !reference.start_with?('http'), "`#{reference}` is not a relative reference"
+
+      resource_type, id = reference.split('/')
+
+      assert FHIR_RESOURCE_TYPES.include?(resource_type),
+             "`#{resource_type}` in `reference` is not a valid FHIR resource type"
+
+      assert id.match?(FHIR_ID_REGEX), "`#{id}` in `reference` is not a valid FHIR id"
+    end
+
+    def check_fhir_context_canonical(canonical)
+      assert canonical.is_a?(String), "`#{canonical.inspect}` is not a String"
+      assert canonical.start_with?('http'), "`#{canonical}` is not a canonical reference"
+
+      split_canonical = canonical.split('/')
+
+      if split_canonical.last.start_with?(/&|\|/)
+        resource_type = split_canonical[-3]
+        id = split_canonical[-2]
+      else
+        resource_type = split_canonical[-2]
+        id = split_canonical.last.split(/&|\|/).first
+      end
+
+      assert FHIR_RESOURCE_TYPES.include?(resource_type),
+             "`#{resource_type}` in `canonical` is not a valid FHIR resource type"
+
+      assert id.match?(FHIR_ID_REGEX), "`#{id}` in `canonical` is not a valid FHIR id"
+    end
+
+    def check_fhir_context_identifier(identifier)
+      assert identifier.is_a?(Hash), "`#{identifier.inspect}` is not an Object"
+    end
+
+    def validate_fhir_context_stu2_2(fhir_context)
+      return if fhir_context.nil?
+
+      assert fhir_context.is_a?(Array), "`fhirContext` field is a #{fhir_context.class.name}, but should be an Array"
+
+      fhir_context.each do |reference|
+        assert reference.is_a?(Hash), "`#{reference.inspect}` is not an Object"
+      end
+
+      fhir_context.each do |context|
+        reference = context['reference']
+        canonical = context['canonical']
+        identifier = context['identifier']
+
+        type = context['type']
+
+        assert reference.present? || canonical.present? || identifier.present?,
+               '`fhirContext` array SHALL include at least one of "reference", "canonical", or "identifier"'
+
+        check_fhir_context_reference(reference) if reference.present?
+        check_fhir_context_canonical(canonical) if canonical.present?
+        check_fhir_context_identifier(identifier) if identifier.present?
+
+        if (canonical.present? || identifier.present?) && type.blank?
+          info 'The `type` field is recommended when "canonical" or "identifier" is present in `fhirContext` object'
+        end
+
+        next unless type.present?
+
+        assert FHIR_RESOURCE_TYPES.include?(type),
+               "`#{type}` in `type` is not a valid FHIR resource type"
+      end
+    end
   end
 end

data/lib/smart_app_launch/token_refresh_stu2_group.rb

@@ -0,0 +1,46 @@
+require_relative 'token_refresh_stu2_test'
+require_relative 'token_refresh_body_test'
+require_relative 'token_response_headers_test'
+
+module SMARTAppLaunch
+  class TokenRefreshSTU2Group < Inferno::TestGroup
+    id :smart_token_refresh_stu2
+    title 'SMART Token Refresh'
+    short_description 'Demonstrate the ability to exchange a refresh token for an access token.'
+    description %(
+      # Background
+
+      The #{title} Sequence tests the ability of the system to successfully
+      exchange a refresh token for an access token. Refresh tokens are typically
+      longer lived than access tokens and allow client applications to obtain a
+      new access token Refresh tokens themselves cannot provide access to
+      resources on the server.
+
+      Token refreshes are accomplished through a `POST` request to the token
+      exchange endpoint as described in the [SMART App Launch
+      Framework](https://www.hl7.org/fhir/smart-app-launch/1.0.0/index.html#step-5-later-app-uses-a-refresh-token-to-obtain-a-new-access-token).
+
+      # Test Methodology
+
+      This test attempts to exchange the refresh token for a new access token
+      and verify that the information returned contains the required fields and
+      uses the proper headers.
+
+      For more information see:
+
+      * [The OAuth 2.0 Authorization
+        Framework](https://tools.ietf.org/html/rfc6749)
+      * [Using a refresh token to obtain a new access
+        token](https://www.hl7.org/fhir/smart-app-launch/1.0.0/index.html#step-5-later-app-uses-a-refresh-token-to-obtain-a-new-access-token)
+    )
+
+    test from: :smart_token_refresh_stu2
+    test from: :smart_token_refresh_body
+    test from: :smart_token_response_headers,
+         config: {
+           requests: {
+             token: { name: :token_refresh }
+           }
+         }
+  end
+end

data/lib/smart_app_launch/token_refresh_stu2_test.rb

@@ -0,0 +1,46 @@
+require_relative 'token_refresh_test'
+
+module SMARTAppLaunch
+  class TokenRefreshSTU2Test < TokenRefreshTest
+    include TokenPayloadValidation
+
+    id :smart_token_refresh_stu2
+    title 'Server successfully refreshes the access token when optional scope parameter omitted'
+    description %(
+      Server successfully exchanges refresh token at OAuth token endpoint
+      without providing scope in the body of the request.
+
+      Although not required in the token refresh portion of the SMART App
+      Launch Guide, the token refresh response should include the HTTP
+      Cache-Control response header field with a value of no-store, as well as
+      the Pragma response header field with a value of no-cache to be
+      consistent with the requirements of the inital access token exchange.
+    )
+    input :client_auth_type
+    input :client_auth_encryption_method, optional: true
+    input :client_secret, optional: true
+
+    def add_credentials_to_request(oauth2_headers, oauth2_params)
+      case client_auth_type
+      when 'public'
+        oauth2_params['client_id'] = client_id
+      when 'confidential_symmetric'
+        assert client_secret.present?,
+               "A client secret must be provided when using confidential symmetric client authentication."
+
+        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
+        oauth2_headers['Authorization'] = "Basic #{credentials}"
+      when 'confidential_asymmetric'
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: ClientAssertionBuilder.build(
+            iss: client_id,
+            sub: client_id,
+            aud: smart_token_url,
+            client_auth_encryption_method: client_auth_encryption_method
+          )
+        )
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_refresh_test.rb

@@ -21,6 +21,15 @@ module SMARTAppLaunch
     output :smart_credentials, :token_retrieval_time
     makes_request :token_refresh
 
+    def add_credentials_to_request(oauth2_headers, oauth2_params)
+      if client_secret.present?
+        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
+        oauth2_headers['Authorization'] = "Basic #{credentials}"
+      else
+        oauth2_params['client_id'] = client_id
+      end
+    end
+
     run do
       skip_if refresh_token.blank?
 
@@ -32,12 +41,7 @@ module SMARTAppLaunch
 
       oauth2_params['scope'] = received_scopes if config.options[:include_scopes]
 
-      if client_secret.present?
-        credentials = Base64.strict_encode64("#{client_id}:#{client_secret}")
-        oauth2_headers['Authorization'] = "Basic #{credentials}"
-      else
-        oauth2_params['client_id'] = client_id
-      end
+      add_credentials_to_request(oauth2_headers, oauth2_params)
 
       post(smart_token_url, body: oauth2_params, name: :token_refresh, headers: oauth2_headers)
 

data/lib/smart_app_launch/token_response_body_test_stu2_2.rb

@@ -0,0 +1,32 @@
+require_relative 'token_payload_validation'
+
+module SMARTAppLaunch
+  class TokenResponseBodyTestSTU22 < TokenResponseBodyTest
+    title 'Token exchange response body contains required information encoded in JSON'
+    description %(
+      The EHR authorization server shall return a JSON structure that includes
+      an access token or a message indicating that the authorization request
+      has been denied. `access_token`, `token_type`, and `scope` are required.
+      `token_type` must be Bearer. `expires_in` is required for token
+      refreshes.
+
+      The format of the optional `fhirContext` field is validated if present.
+    )
+    id :smart_token_response_body_stu2_2
+
+    input :requested_scopes
+    output :id_token,
+           :refresh_token,
+           :access_token,
+           :expires_in,
+           :patient_id,
+           :encounter_id,
+           :received_scopes,
+           :intent
+    uses_request :token
+
+    def validate_fhir_context(fhir_context)
+      validate_fhir_context_stu2_2(fhir_context)
+    end
+  end
+end

data/lib/smart_app_launch/version.rb

@@ -1,3 +1,3 @@
 module SMARTAppLaunch
-  VERSION = '0.4.2'.freeze
+  VERSION = '0.4.4'.freeze
 end

data/lib/smart_app_launch/well_known_endpoint_test.rb

@@ -13,6 +13,7 @@ module SMARTAppLaunch
     input :url,
           title: 'FHIR Endpoint',
           description: 'URL of the FHIR endpoint used by SMART applications'
+
     output :well_known_configuration,
            :well_known_authorization_url,
            :well_known_introspection_url,
@@ -34,9 +35,12 @@ module SMARTAppLaunch
       base_url = "#{url.chomp('/')}/"
       config = JSON.parse(request.response_body)
 
+      if config['introspection_endpoint'].present?
+        output well_known_introspection_url: make_url_absolute(base_url, config['introspection_endpoint'])
+      end
+
       output well_known_configuration: request.response_body,
              well_known_authorization_url: make_url_absolute(base_url, config['authorization_endpoint']),
-             well_known_introspection_url: make_url_absolute(base_url, config['introspection_endpoint']),
              well_known_management_url: make_url_absolute(base_url, config['management_endpoint']),
              well_known_registration_url: make_url_absolute(base_url, config['registration_endpoint']),
              well_known_revocation_url: make_url_absolute(base_url, config['revocation_endpoint']),

data/lib/smart_app_launch_test_kit.rb

@@ -2,3 +2,5 @@ require 'tls_test_kit'
 
 require_relative 'smart_app_launch/smart_stu1_suite'
 require_relative 'smart_app_launch/smart_stu2_suite'
+require_relative 'smart_app_launch/smart_stu2_2_suite'
+require_relative 'smart_app_launch/smart_access_brands_suite'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.4.4
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-25 00:00:00.000000000 Z
+date: 2024-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -161,6 +161,7 @@ files:
 - lib/smart_app_launch/discovery_stu2_group.rb
 - lib/smart_app_launch/ehr_launch_group.rb
 - lib/smart_app_launch/ehr_launch_group_stu2.rb
+- lib/smart_app_launch/ehr_launch_group_stu2_2.rb
 - lib/smart_app_launch/jwks.rb
 - lib/smart_app_launch/launch_received_test.rb
 - lib/smart_app_launch/openid_connect_group.rb
@@ -172,22 +173,39 @@ files:
 - lib/smart_app_launch/openid_token_header_test.rb
 - lib/smart_app_launch/openid_token_payload_test.rb
 - lib/smart_app_launch/post_auth.html
+- lib/smart_app_launch/smart_access_brands_examples/r4_capability_statement.json
+- lib/smart_app_launch/smart_access_brands_group.rb
+- lib/smart_app_launch/smart_access_brands_retrieval_group.rb
+- lib/smart_app_launch/smart_access_brands_retrieve_bundle_test.rb
+- lib/smart_app_launch/smart_access_brands_suite.rb
+- lib/smart_app_launch/smart_access_brands_validate_brands_test.rb
+- lib/smart_app_launch/smart_access_brands_validate_bundle_test.rb
+- lib/smart_app_launch/smart_access_brands_validate_endpoint_urls_test.rb
+- lib/smart_app_launch/smart_access_brands_validate_endpoints_test.rb
+- lib/smart_app_launch/smart_access_brands_validation_group.rb
 - lib/smart_app_launch/smart_jwks.json
 - lib/smart_app_launch/smart_stu1_suite.rb
+- lib/smart_app_launch/smart_stu2_2_suite.rb
 - lib/smart_app_launch/smart_stu2_suite.rb
 - lib/smart_app_launch/standalone_launch_group.rb
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
+- lib/smart_app_launch/standalone_launch_group_stu2_2.rb
 - lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
 - lib/smart_app_launch/token_introspection_access_token_group.rb
+- lib/smart_app_launch/token_introspection_access_token_group_stu2_2.rb
 - lib/smart_app_launch/token_introspection_group.rb
+- lib/smart_app_launch/token_introspection_group_stu2_2.rb
 - lib/smart_app_launch/token_introspection_request_group.rb
 - lib/smart_app_launch/token_introspection_response_group.rb
 - lib/smart_app_launch/token_payload_validation.rb
 - lib/smart_app_launch/token_refresh_body_test.rb
 - lib/smart_app_launch/token_refresh_group.rb
+- lib/smart_app_launch/token_refresh_stu2_group.rb
+- lib/smart_app_launch/token_refresh_stu2_test.rb
 - lib/smart_app_launch/token_refresh_test.rb
 - lib/smart_app_launch/token_response_body_test.rb
+- lib/smart_app_launch/token_response_body_test_stu2_2.rb
 - lib/smart_app_launch/token_response_headers_test.rb
 - lib/smart_app_launch/url_helpers.rb
 - lib/smart_app_launch/version.rb
@@ -216,7 +234,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.9
 signing_key:
 specification_version: 4
 summary: Inferno Tests for the SMART Application Launch Framework Implementation Guide