smart_app_launch_test_kit 0.4.5 → 0.5.0

data/lib/smart_app_launch/metadata.rb

@@ -0,0 +1,75 @@
+require_relative 'version'
+
+module SMARTAppLaunch
+  class Metadata < Inferno::TestKit
+    id :smart_app_launch_test_kit
+    title 'SMART App Launch Test Kit'
+    description <<~DESCRIPTION
+      The SMART App Launch Test Kit primarily validates the conformance of an
+      authorization server implementation to a specified version of the [SMART
+      Application Launch Framework Implementation
+      Guide](http://hl7.org/fhir/smart-app-launch/index.html).  This Test Kit also
+      provides Brand Bundle Publisher testing for the User-access Brands and Endpoints
+      specification.  This Test Kit supports following versions of the SMART App
+      Launch IG: [STU1](https://hl7.org/fhir/smart-app-launch/1.0.0/),
+      [STU2](http://hl7.org/fhir/smart-app-launch/STU2/), and
+      [STU2.2](http://hl7.org/fhir/smart-app-launch/STU2.2/).
+      <!-- break -->
+
+      This Test Kit is [open
+      source](https://github.com/inferno-framework/smart-app-launch-test-kit#license)
+      and freely available for use or adoption by the health IT community including
+      EHR vendors, health app developers, and testing labs. It is built using the
+      [Inferno Framework](https://inferno-framework.github.io/inferno-core/). The
+      Inferno Framework is designed for reuse and aims to make it easier to build test
+      kits for any FHIR-based data exchange.
+
+      To run tests for a SMART App Launch authorization server, select one of the
+      "SMART App Launch" suites.  To run tests for a Brand Bundle Publisher, select
+      the "SMART User-access Brands and Endpoints" suite.
+
+      ## Status
+
+      The SMART App Launch Test Kit primarily verifies that systems correctly
+      implement the SMART App Launch IG for providing authorization and/or
+      authentication services to client applications accessing HL7 FHIR APIs.
+
+      The test kit currently tests the following requirements:
+      - Standalone Launch
+      - EHR Launch
+
+      It also tests the ability of a Brand Bundle Publisher to publish a valid brand
+      bundle as described in the User-access Brands and Endpoints specification.
+
+      See the test descriptions within the test kit for detail on the specific
+      validations performed as part of testing these requirements.
+
+      ## Repository
+
+      The SMART App Launch Test Kit GitHub repository can be [found
+      here](https://github.com/inferno-framework/smart-app-launch-test-kit).
+
+      ## Providing Feedback and Reporting Issues
+
+      We welcome feedback on the tests, including but not limited to the following
+      areas:
+
+      - Validation logic, such as potential bugs, lax checks, and unexpected failures.
+      - Requirements coverage, such as requirements that have been missed, tests that
+        necessitate features that the IG does not require, or other issues with the
+        interpretation of the IG's requirements.
+      - User experience, such as confusing or missing information in the test UI.
+
+      Please report any issues with this set of tests in the [issues
+      section](https://github.com/inferno-framework/smart-app-launch-test-kit/issues)
+      of the repository.
+    DESCRIPTION
+    suite_ids [:smart, :smart_stu2, :smart_stu2_2, :smart_access_brands]
+    tags ['SMART App Launch', 'Endpoint Publication']
+    last_updated LAST_UPDATED
+    version VERSION
+    maturity 'Medium'
+    authors ['Stephen MacVicar']
+    repo 'https://github.com/inferno-framework/smart-app-launch-test-kit'
+  end
+end

data/lib/smart_app_launch/openid_connect_group_stu2_2.rb

@@ -0,0 +1,40 @@
+require_relative 'cors_openid_fhir_user_claim_test'
+require_relative 'openid_connect_group'
+
+module SMARTAppLaunch
+  class OpenIDConnectGroupSTU22 < OpenIDConnectGroup
+    id :smart_openid_connect_stu2_2
+    title 'OpenID Connect'
+    short_description 'Demonstrate the ability to authenticate users with OpenID Connect.'
+
+    description %(
+      # Background
+
+      OpenID Connect (OIDC) provides the ability to verify the identity of the
+      authorizing user. Within the [SMART App Launch
+      Framework](https://www.hl7.org/fhir/smart-app-launch/STU2.2/), Applications can
+      request an `id_token` be provided with by including the `openid fhirUser`
+      scopes when requesting authorization.
+
+      # Test Methodology
+
+      This sequence validates the id token returned as part of the OAuth 2.0
+      token response. Once the token is decoded, the server's OIDC configuration
+      is retrieved from its well-known configuration endpoint. This
+      configuration is checked to ensure that all required fields are present.
+      Next the keys used to cryptographically sign the id token are retrieved
+      from the url contained in the OIDC configuration. Then the header,
+      payload, and signature of the id token are validated. Finally, the FHIR
+      resource from the `fhirUser` claim in the id token is fetched from the
+      FHIR server.
+
+      For more information see:
+
+      * [SMART App Launch Framework](https://www.hl7.org/fhir/smart-app-launch/STU2.2/)
+      * [Scopes for requesting identity data](https://www.hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context/index.html#scopes-for-requesting-identity-data)
+      * [Apps Requesting Authorization](https://www.hl7.org/fhir/smart-app-launch/STU2.2/index.html#step-1-app-asks-for-authorization)
+      * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)
+    )
+    test from: :smart_cors_openid_fhir_user_claim
+  end
+end

data/lib/smart_app_launch/smart_access_brands_examples/smart_access_brands_example.json.erb

@@ -0,0 +1,198 @@
+{
+  "resourceType" : "Bundle",
+  "id" : "example3",
+  "type" : "collection",
+  "timestamp" : "2023-09-05T20:23:42.723178-07:00",
+  "entry" : [
+    {
+      "fullUrl" : "https://examplehospital.fhirserver.org/Organization/examplehospital",
+      "resource" : {
+        "resourceType" : "Organization",
+        "id" : "examplehospital",
+        "extension" : [
+          {
+            "extension" : [
+              {
+                "url" : "brandLogo",
+                "valueUrl" : "https://fhirserver.org/examplehospital-ehr1/themes/custom/logo.svg"
+              }
+            ],
+            "url" : "http://hl7.org/fhir/StructureDefinition/organization-brand"
+          },
+          {
+            "extension" : [
+              {
+                "url" : "portalName",
+                "valueString" : "ExampleHospital Patient Gateway"
+              },
+              {
+                "url" : "portalUrl",
+                "valueUrl" : "https://patientgateway.examplehospital.ehr1.fhirserver.org"
+              },
+              {
+                "url" : "portalDescription",
+                "valueMarkdown" : "Patient Gateway is an online tool to help adult patients connect with health care providers, manage appointments, and refill prescriptions.\n"
+              },
+              {
+                "url" : "portalEndpoint",
+                "valueReference" : {
+                  "reference" : "https://ehr1.fhirserver.com/Endpoint/examplehospital-ehr1",
+                  "display" : "FHIR R4 Endpoint for EHR1"
+                }
+              }
+            ],
+            "url" : "http://hl7.org/fhir/StructureDefinition/organization-portal"
+          },
+          {
+            "extension" : [
+              {
+                "url" : "portalName",
+                "valueString" : "ExampleHospital Pediatric Portal"
+              },
+              {
+                "url" : "portalUrl",
+                "valueUrl" : "https://pediatrics.examplehospital.ehr2.fhirserver.org"
+              },
+              {
+                "url" : "portalDescription",
+                "valueMarkdown" : "Pediatric Portal is the entrypoint for pediatric patients."
+              },
+              {
+                "url" : "portalEndpoint",
+                "valueReference" : {
+                  "reference" : "https://ehr2.fhirserver.com/Endpoint/examplehospital-ehr2",
+                  "display" : "FHIR R4 Endpoint for EHR2"
+                }
+              }
+            ],
+            "url" : "http://hl7.org/fhir/StructureDefinition/organization-portal"
+          }
+        ],
+        "identifier" : [
+          {
+            "system" : "urn:ietf:rfc:3986",
+            "value" : "https://examplehospital.fhirserver.org"
+          }
+        ],
+        "active" : true,
+        "type" : [
+          {
+            "coding" : [
+              {
+                "system" : "http://terminology.hl7.org/CodeSystem/organization-type",
+                "code" : "prov",
+                "display" : "Healthcare Provider"
+              }
+            ]
+          }
+        ],
+        "name" : "ExampleHospital",
+        "alias" : [
+          "GoodHealth Healthcare"
+        ],
+        "telecom" : [
+          {
+            "system" : "url",
+            "value" : "https://examplehospital.fhirserver.org/contact"
+          }
+        ],
+        "address" : [
+          {
+            "city" : "Boston",
+            "state" : "MA"
+          },
+          {
+            "city" : "Newton",
+            "state" : "MA"
+          },
+          {
+            "city" : "Waltham",
+            "state" : "MA"
+          }
+        ],
+        "endpoint" : [
+          {
+            "reference" : "https://ehr1.fhirserver.com/Endpoint/examplehospital-ehr1",
+            "display" : "FHIR R4 Endpoint for EHR1"
+          },
+          {
+            "reference" : "https://ehr2.fhirserver.com/Endpoint/examplehospital-ehr2",
+            "display" : "FHIR R4 Endpoint for EHR2"
+          }
+        ]
+      }
+    },
+    {
+      "fullUrl" : "https://ehr1.fhirserver.com/Endpoint/examplehospital-ehr1",
+      "resource" : {
+        "resourceType" : "Endpoint",
+        "id" : "examplehospital-ehr1",
+        "extension" : [
+          {
+            "url" : "http://hl7.org/fhir/StructureDefinition/endpoint-fhir-version",
+            "valueCode" : "4.0.1"
+          }
+        ],
+        "status" : "active",
+        "connectionType" : {
+          "system" : "http://terminology.hl7.org/CodeSystem/endpoint-connection-type",
+          "code" : "hl7-fhir-rest"
+        },
+        "name" : "FHIR R4 Endpoint for ExampleHospital's EHR1 Patient Gateway",
+        "contact" : [
+          {
+            "system" : "url",
+            "value" : "https://open.ehr1.fhirserver.com"
+          }
+        ],
+        "payloadType" : [
+          {
+            "coding" : [
+              {
+                "system" : "http://terminology.hl7.org/CodeSystem/endpoint-payload-type",
+                "code" : "none"
+              }
+            ]
+          }
+        ],
+        "address" : "<%= Inferno::Application['base_url']  %>/custom/smart_access_brands/examples/r4_capability_statement"
+      }
+    },
+    {
+      "fullUrl" : "https://ehr2.fhirserver.com/Endpoint/examplehospital-ehr2",
+      "resource" : {
+        "resourceType" : "Endpoint",
+        "id" : "examplehospital-ehr2",
+        "extension" : [
+          {
+            "url" : "http://hl7.org/fhir/StructureDefinition/endpoint-fhir-version",
+            "valueCode" : "4.0.1"
+          }
+        ],
+        "status" : "active",
+        "connectionType" : {
+          "system" : "http://terminology.hl7.org/CodeSystem/endpoint-connection-type",
+          "code" : "hl7-fhir-rest"
+        },
+        "name" : "FHIR R4 Endpoint for ExampleHospital's EHR2 Pediatric Portal",
+        "contact" : [
+          {
+            "system" : "url",
+            "value" : "https://open.ehr2.fhirserver.com"
+          }
+        ],
+        "payloadType" : [
+          {
+            "coding" : [
+              {
+                "system" : "http://terminology.hl7.org/CodeSystem/endpoint-payload-type",
+                "code" : "none"
+              }
+            ]
+          }
+        ],
+        "address" : "<%= Inferno::Application['base_url']  %>/custom/smart_access_brands/examples/r4_capability_statement"
+      }
+    }
+  ]
+}

data/lib/smart_app_launch/smart_access_brands_suite.rb

@@ -5,7 +5,6 @@ module SMARTAppLaunch
     id 'smart_access_brands'
     title 'SMART User-access Brands and Endpoints STU2.2'
     short_title 'SMART User-access Brands'
-    version VERSION
 
     description <<~DESCRIPTION
       The SMART User-access Brands Test Suite verifies that Brand Bundle Publishers publish valid User-access
@@ -34,6 +33,10 @@ module SMARTAppLaunch
       Bundle as an input and leaving the User Access Brand Publication URL input blank.
     INSTRUCTIONS
 
+    source_code_url('https://github.com/inferno-framework/smart-app-launch-test-kit')
+    download_url('https://github.com/inferno-framework/smart-app-launch-test-kit/releases')
+    report_issue_url('https://github.com/inferno-framework/smart-app-launch-test-kit/issues')
+
     VALIDATION_MESSAGE_FILTERS = [
       /\A\S+: \S+: URL value '.*' does not resolve/,
       %r{\A\S+: \S+: Bundled or contained reference not found within the bundle/resource} # Validator issue with Brand profile: https://chat.fhir.org/#narrow/stream/291844-FHIR-Validator/topic/SMART.20v2.2E2.20User.20Access.20Brands.3A.20Brand.20validation.20error.3F/near/466321024

data/lib/smart_app_launch/smart_stu1_suite.rb

@@ -1,7 +1,6 @@
 require 'tls_test_kit'
 
 require_relative 'jwks'
-require_relative 'version'
 require_relative 'discovery_stu1_group'
 require_relative 'standalone_launch_group'
 require_relative 'ehr_launch_group'
@@ -12,7 +11,6 @@ module SMARTAppLaunch
   class SMARTSTU1Suite < Inferno::TestSuite
     id 'smart'
     title 'SMART App Launch STU1'
-    version VERSION
 
     resume_test_route :get, '/launch' do |request|
       request.query_parameters['iss']
@@ -34,15 +32,18 @@ module SMARTAppLaunch
     }
 
     description <<~DESCRIPTION
-      The SMART App Launch Test Suite verifies that systems correctly implement 
-      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/1.0.0/) 
-      for providing authorization and/or authentication services to client 
-      applications accessing HL7® FHIR® APIs. To get started, please first register 
+      The SMART App Launch Test Suite verifies that systems correctly implement
+      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/1.0.0/)
+      for providing authorization and/or authentication services to client
+      applications accessing HL7® FHIR® APIs. To get started, please first register
       the Inferno client as a SMART App with the following information:
 
       * SMART Launch URI: `#{config.options[:launch_uri]}`
       * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
     DESCRIPTION
+    source_code_url('https://github.com/inferno-framework/smart-app-launch-test-kit')
+    download_url('https://github.com/inferno-framework/smart-app-launch-test-kit/releases')
+    report_issue_url('https://github.com/inferno-framework/smart-app-launch-test-kit/issues')
 
     group do
       title 'Standalone Launch'

data/lib/smart_app_launch/smart_stu2_2_suite.rb

@@ -1,20 +1,17 @@
 require 'tls_test_kit'
 
 require_relative 'jwks'
-require_relative 'version'
-require_relative 'discovery_stu2_group'
+require_relative 'discovery_stu2_2_group'
 require_relative 'standalone_launch_group_stu2_2'
 require_relative 'ehr_launch_group_stu2_2'
-require_relative 'openid_connect_group'
+require_relative 'openid_connect_group_stu2_2'
 require_relative 'token_introspection_group_stu2_2'
-require_relative 'token_refresh_stu2_group'
 require_relative 'backend_services_authorization_group'
 
 module SMARTAppLaunch
   class SMARTSTU22Suite < Inferno::TestSuite
     id 'smart_stu2_2'
     title 'SMART App Launch STU2.2'
-    version VERSION
 
     resume_test_route :get, '/launch' do |request|
       request.query_parameters['iss']
@@ -73,6 +70,9 @@ module SMARTAppLaunch
       If the token introspection endpoint of the system under test is NOT available at .well-known/smart-configuration,
       please run the test groups individually and group 3 Token Introspection will include the introspection endpoint as a manual input.
     )
+    source_code_url('https://github.com/inferno-framework/smart-app-launch-test-kit')
+    download_url('https://github.com/inferno-framework/smart-app-launch-test-kit/releases')
+    report_issue_url('https://github.com/inferno-framework/smart-app-launch-test-kit/issues')
 
     group do
       title 'Standalone Launch'
@@ -92,10 +92,10 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery_stu2
+      group from: :smart_discovery_stu2_2
       group from: :smart_standalone_launch_stu2_2
 
-      group from: :smart_openid_connect,
+      group from: :smart_openid_connect_stu2_2,
             config: {
               inputs: {
                 id_token: { name: :standalone_id_token },
@@ -167,11 +167,11 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery_stu2
+      group from: :smart_discovery_stu2_2
 
       group from: :smart_ehr_launch_stu2_2
 
-      group from: :smart_openid_connect,
+      group from: :smart_openid_connect_stu2_2,
             config: {
               inputs: {
                 id_token: { name: :ehr_id_token },
@@ -237,7 +237,7 @@ module SMARTAppLaunch
 
       run_as_group
 
-      group from: :smart_discovery_stu2
+      group from: :smart_discovery_stu2_2
       group from: :backend_services_authorization
     end
 

data/lib/smart_app_launch/smart_stu2_suite.rb

@@ -1,7 +1,6 @@
 require 'tls_test_kit'
 
 require_relative 'jwks'
-require_relative 'version'
 require_relative 'discovery_stu2_group'
 require_relative 'standalone_launch_group_stu2'
 require_relative 'ehr_launch_group_stu2'
@@ -14,7 +13,6 @@ module SMARTAppLaunch
   class SMARTSTU2Suite < Inferno::TestSuite
     id 'smart_stu2'
     title 'SMART App Launch STU2'
-    version VERSION
 
     resume_test_route :get, '/launch' do |request|
       request.query_parameters['iss']
@@ -42,10 +40,10 @@ module SMARTAppLaunch
     }
 
     description <<~DESCRIPTION
-      The SMART App Launch Test Suite verifies that systems correctly implement 
-      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2/) 
-      for providing authorization and/or authentication services to client 
-      applications accessing HL7® FHIR® APIs. To get started, please first register 
+      The SMART App Launch Test Suite verifies that systems correctly implement
+      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2/)
+      for providing authorization and/or authentication services to client
+      applications accessing HL7® FHIR® APIs. To get started, please first register
       the Inferno client as a SMART App with the following information:
 
       * SMART Launch URI: `#{config.options[:launch_uri]}`
@@ -59,17 +57,20 @@ module SMARTAppLaunch
 
     input_instructions %(
       When running tests at this level, the token introspection endpoint is not available as a manual input.
-      Instead, group 3 Token Introspection will assume the token introspection endpoint 
+      Instead, group 3 Token Introspection will assume the token introspection endpoint
       will be output from group 1 Standalone Launch tests, specifically the SMART On FHIR Discovery tests that query
       the .well-known/smart-configuration endpoint. However, including the token introspection
       endpoint as part of the well-known ouput is NOT required and is not formally checked in the SMART On FHIR Discovery
       tests.  RFC-7662 on Token Introspection says that "The means by which the protected resource discovers the location of the introspection
       endpoint are outside the scope of this specification" and the Token Introspection IG does not add any further
-      requirements to this.  
+      requirements to this.
 
-      If the token introspection endpoint of the system under test is NOT available at .well-known/smart-configuration, 
-      please run the test groups individually and group 3 Token Introspection will include the introspection endpoint as a manual input.  
+      If the token introspection endpoint of the system under test is NOT available at .well-known/smart-configuration,
+      please run the test groups individually and group 3 Token Introspection will include the introspection endpoint as a manual input.
     )
+    source_code_url('https://github.com/inferno-framework/smart-app-launch-test-kit')
+    download_url('https://github.com/inferno-framework/smart-app-launch-test-kit/releases')
+    report_issue_url('https://github.com/inferno-framework/smart-app-launch-test-kit/issues')
 
     group do
       title 'Standalone Launch'

data/lib/smart_app_launch/standalone_launch_group_stu2_2.rb

@@ -1,5 +1,7 @@
 require_relative 'token_response_body_test_stu2_2'
 require_relative 'standalone_launch_group_stu2'
+require_relative 'cors_token_exchange_test'
+require_relative 'token_exchange_stu2_2_test'
 
 module SMARTAppLaunch
   class StandaloneLaunchGroupSTU22 < StandaloneLaunchGroupSTU2
@@ -44,9 +46,21 @@ module SMARTAppLaunch
       }
     )
 
+    test from: :smart_token_exchange_stu2_2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }
+    children[token_exchange_index] = children.pop
+
     test from: :smart_token_response_body_stu2_2
 
     token_response_body_index = children.find_index { |child| child.id.to_s.end_with? 'token_response_body' }
     children[token_response_body_index] = children.pop
+
+    test from: :smart_cors_token_exchange,
+         config: {
+           requests: {
+             cors_token_request: { name: :standalone_token }
+           }
+         }
   end
 end

data/lib/smart_app_launch/token_exchange_stu2_2_test.rb

@@ -0,0 +1,30 @@
+require_relative 'token_exchange_stu2_test'
+
+module SMARTAppLaunch
+  class TokenExchangeSTU22Test < TokenExchangeSTU2Test
+    id :smart_token_exchange_stu2_2
+
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if client_auth_type == 'confidential_symmetric'
+        assert client_secret.present?,
+               'A client secret must be provided when using confidential symmetric client authentication.'
+
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      elsif client_auth_type == 'public'
+        oauth2_params[:client_id] = client_id
+        oauth2_headers['Origin'] = Inferno::Application['inferno_host']
+      else
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: ClientAssertionBuilder.build(
+            iss: client_id,
+            sub: client_id,
+            aud: smart_token_url,
+            client_auth_encryption_method:
+          )
+        )
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_exchange_test.rb

@@ -51,7 +51,7 @@ module SMARTAppLaunch
       skip_if request.query_parameters['error'].present?, 'Error during authorization request'
 
       oauth2_params = {
-        code: code,
+        code:,
         redirect_uri: config.options[:redirect_uri],
         grant_type: 'authorization_code'
       }
@@ -59,9 +59,7 @@ module SMARTAppLaunch
 
       add_credentials_to_request(oauth2_params, oauth2_headers)
 
-      if use_pkce == 'true'
-        oauth2_params[:code_verifier] = pkce_code_verifier
-      end
+      oauth2_params[:code_verifier] = pkce_code_verifier if use_pkce == 'true'
 
       post(smart_token_url, body: oauth2_params, name: :token, headers: oauth2_headers)
 
@@ -72,17 +70,15 @@ module SMARTAppLaunch
 
       token_response_body = JSON.parse(request.response_body)
 
-
       output smart_credentials: {
-               refresh_token: token_response_body['refresh_token'],
-               access_token: token_response_body['access_token'],
-               expires_in: token_response_body['expires_in'],
-               client_id: client_id,
-               client_secret: client_secret,
-               token_retrieval_time: token_retrieval_time,
-               token_url: smart_token_url
-             }.to_json
-      
+        refresh_token: token_response_body['refresh_token'],
+        access_token: token_response_body['access_token'],
+        expires_in: token_response_body['expires_in'],
+        client_id:,
+        client_secret:,
+        token_retrieval_time:,
+        token_url: smart_token_url
+      }.to_json
     end
   end
 end

data/lib/smart_app_launch/token_introspection_access_token_group_stu2_2.rb

@@ -1,7 +1,7 @@
 require_relative 'standalone_launch_group_stu2_2'
 
 module SMARTAppLaunch
-  class SMARTTokenIntrospectionAccessTokenGroupSTU22 < SMARTTokenIntrospectionAccessTokenGroup
+  class SMARTTokenIntrospectionAccessTokenGroupSTU22 < Inferno::TestGroup
     title 'Request New Access Token to Introspect'
     run_as_group
 
@@ -20,9 +20,7 @@ module SMARTAppLaunch
       Register Inferno as a Standalone SMART App and provide the registration details below.
     )
 
+    group from: :smart_discovery_stu2_2
     group from: :smart_standalone_launch_stu2_2
-
-    standalone_launch_index = children.find_index { |child| child.id.to_s.end_with? 'standalone_launch_stu2' }
-    children[standalone_launch_index] = children.pop
   end
 end

data/lib/smart_app_launch/token_introspection_group.rb

@@ -57,13 +57,12 @@ module SMARTAppLaunch
 
       If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
       [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
-      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization
       server to complete the introspection request.
 
       **Note:** For both the Authorization header and request parameters, user-input
       values will be sent exactly as entered and therefore the tester must
       URI-encode any appropriate values.
     )
-
   end
 end

data/lib/smart_app_launch/token_introspection_group_stu2_2.rb

@@ -43,26 +43,5 @@ module SMARTAppLaunch
 
     access_token_group_index = children.find_index { |child| child.id.to_s.end_with? 'access_token_group' }
     children[access_token_group_index] = children.pop
-
-    input_order :url, :standalone_client_id, :standalone_client_secret,
-                :authorization_method, :use_pkce, :pkce_code_challenge_method,
-                :standalone_requested_scopes, :client_auth_encryption_method,
-                :client_auth_type, :custom_authorization_header,
-                :optional_introspection_request_params
-    input_instructions %(
-      Executing tests at this level will run all three Token Introspection groups back-to-back.  If test groups need
-      to be run independently, exit this window and select a specific test group instead.
-
-      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
-
-      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
-      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
-      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization
-      server to complete the introspection request.
-
-      **Note:** For both the Authorization header and request parameters, user-input
-      values will be sent exactly as entered and therefore the tester must
-      URI-encode any appropriate values.
-    )
   end
 end