smart_app_launch_test_kit 0.6.0 → 0.6.2

data/lib/smart_app_launch/client_suite/token_request_alp_verification_test.rb

@@ -0,0 +1,48 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'authentication_verification'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestAppLaunchPublicVerification < Inferno::Test
+    include URLs
+    include AuthenticationVerification
+    include TokenRequestVerification
+
+    id :smart_client_token_request_alp_verification
+    title 'Verify SMART Token Requests'
+    description %(
+      Check that SMART token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: false,
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    
+    output :smart_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+    
+    run do
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, AUTHORIZATION_CODE_TAG)
+      skip_if requests.blank?, 'No SMART authorization code token requests made.'
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well
+
+      verify_token_requests(AUTHORIZATION_CODE_TAG, PUBLIC_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_request_bsca_verification_test.rb

@@ -0,0 +1,53 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'authentication_verification'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestBackendServicesConfidentialAsymmetricVerification < Inferno::Test
+    include URLs
+    include AuthenticationVerification
+    include TokenRequestVerification
+
+    id :smart_client_token_request_bsca_verification
+    title 'Verify SMART Token Requests'
+    description %(
+        Check that SMART token requests are conformant.
+      )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_jwk_set,
+          title: 'JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          locked: true,
+          description: INPUT_CLIENT_JWKS_DESCRIPTION_LOCKED
+    
+    output :smart_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, CLIENT_CREDENTIALS_TAG)
+      skip_if requests.blank?, 'No SMART token requests made.'
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well (shouldn't be any)
+
+      verify_token_requests(CLIENT_CREDENTIALS_TAG, CONFIDENTIAL_ASYMMETRIC_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_request_verification.rb

@@ -0,0 +1,116 @@
+module SMARTAppLaunch
+  module TokenRequestVerification
+    
+    def verify_token_requests(oauth_flow, authentication_approach)
+      jti_list = []
+      token_list = []
+      requests.each_with_index do |token_request, index|
+        request_params = URI.decode_www_form(token_request.request_body).to_h
+        request_params['grant_type'] != 'refresh_token' ?
+          check_request_params(request_params, oauth_flow, authentication_approach, index + 1) :
+          check_refresh_request_params(request_params, oauth_flow, authentication_approach, index + 1)
+        check_authentication(authentication_approach, token_request, request_params, jti_list, index + 1)
+        
+        token_list << extract_token_from_response(token_request)
+      end
+
+      output smart_tokens: token_list.compact.join("\n")
+    end
+    
+    def check_request_params(params, oauth_flow, authentication_approach, request_num)
+      if params['grant_type'] != oauth_flow
+        add_message('error',
+                    "Token request #{request_num} had an incorrect `grant_type`: expected #{oauth_flow}, " \
+                    "but got '#{params['grant_type']}'")
+      end
+      if authentication_approach == CONFIDENTIAL_ASYMMETRIC_TAG && 
+         params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        add_message('error',
+                    "Confidential asymmetric token request #{request_num} had an incorrect `client_assertion_type`: " \
+                    "expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
+                    "but got '#{params['client_assertion_type']}'")
+      end
+      if oauth_flow == CLIENT_CREDENTIALS_TAG && params['scope'].blank?
+        add_message('error', "Client credentials token request #{request_num} did not include the requested `scope`")
+      end
+      if authentication_approach == PUBLIC_TAG && params['client_id'] != client_id
+        add_message('error', "Public client token request #{request_num} had an incorrect `client` value: " \
+                             "expected '#{client_id}' but got '#{params['client_id']}'")
+      end
+
+      check_authorization_code_request_params(params, request_num) if oauth_flow == AUTHORIZATION_CODE_TAG
+
+      nil
+    end
+
+    def check_authorization_code_request_params(params, request_num)
+      if params['code'].present?
+
+        authorization_request = MockSMARTServer.authorization_request_for_code(params['code'], test_session_id)
+
+        if authorization_request.present?
+          authorization_body = MockSMARTServer.authorization_code_request_details(authorization_request)
+
+          if params['redirect_uri'] != authorization_body['redirect_uri']
+            add_message('error', "Authorization code token request #{request_num} included an incorrect " \
+                                 "`redirect_uri` value: expected '#{authorization_body['redirect_uri']} " \
+                                 "but got '#{params['redirect_uri']}'")
+          end
+
+          pkce_error = MockSMARTServer.pkce_error(params['code_verifier'],
+                                                  authorization_body['code_challenge'],
+                                                  authorization_body['code_challenge_method'])
+          if pkce_error.present?
+            add_message('error', 'Error performing pkce verification on the `code_verifier` value in ' \
+                                 "authorization code token request #{request_num}: #{pkce_error}")
+          end
+        else
+          add_message('error', "Authorization code token request #{request_num} included a code not " \
+                               "issued during this test session: '#{params['code']}'")
+        end
+      else
+        add_message('error', "Authorization code token request #{request_num} missing a `code`")
+      end
+    end
+
+    def check_refresh_request_params(params, oauth_flow, authentication_approach, request_num)
+      if oauth_flow == CLIENT_CREDENTIALS_TAG
+        add_message('error',
+                    "Invalid refresh request #{request_num} found during client_credentials flow.")
+        return
+      end
+      
+      if params['grant_type'] != 'refresh_token'
+        add_message('error',
+                    "Refresh request #{request_num} had an incorrect `grant_type`: expected 'refresh_token', " \
+                    "but got '#{params['grant_type']}'")
+      end
+      if authentication_approach == CONFIDENTIAL_ASYMMETRIC_TAG && 
+          params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        add_message('error',
+                    "Confidential asymmetric refresh request #{request_num} had an incorrect `client_assertion_type`: " \
+                    "expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
+                    "but got '#{params['client_assertion_type']}'")
+      end
+
+      authorization_code = MockSMARTServer.refresh_token_to_authorization_code(params['refresh_token'])
+      authorization_request = MockSMARTServer.authorization_request_for_code(authorization_code, test_session_id)
+      if authorization_request.present?
+        # todo - check that the scope is a subset of the original authorization code request
+      else
+        add_message('error', "Authorization code token refresh request #{request_num} included a refresh token not " \
+                             "issued during this test session: '#{params['refresh_token']}'")
+      end
+
+      nil
+    end
+
+    def extract_token_from_response(request)
+      return unless request.status == 200
+
+      JSON.parse(request.response_body)&.dig('access_token')
+    rescue
+      nil
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_use_verification_test.rb

@@ -0,0 +1,40 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+
+module SMARTAppLaunch
+  class SMARTClientTokenUseVerification < Inferno::Test
+    id :smart_client_token_use_verification
+    title 'Verify SMART Token Use'
+    description %(
+        Check that a SMART token returned to the client was used for request
+        authentication.
+      )
+
+    input :smart_tokens, # from :smart_client_token_request_verification
+          optional: true # verified in the test to return a more specific error message
+
+    def access_request_tags
+      return config.options[:access_request_tags] if config.options[:access_request_tags].present?
+
+      [ACCESS_TAG]
+    end
+
+    run do
+      access_requests = access_request_tags.map do |access_request_tag|
+        load_tagged_requests(access_request_tag).reject { |access| access.status == 401 }
+      end.flatten
+      obtained_tokens = smart_tokens&.split("\n")
+
+      skip_if obtained_tokens.blank?, 'No token requests made.'
+      skip_if access_requests.blank?, 'No successful access requests made.'
+
+      used_tokens = access_requests.map do |access_request|
+        access_request.request_headers.find do |header|
+          header.name.downcase == 'authorization'
+        end&.value&.delete_prefix('Bearer ')
+      end.compact
+
+      assert (used_tokens & obtained_tokens).present?, 'Returned tokens never used in any requests.'
+    end
+  end
+end

data/lib/smart_app_launch/docs/demo/FHIR Request.postman_collection.json

@@ -0,0 +1,81 @@
+{
+	"info": {
+		"_postman_id": "22f52416-c6ae-4ffc-a388-54616465d149",
+		"name": "FHIR Request",
+		"description": "Make a simple FHIR request with a specific bearer token. Useful for security client tests like SMART and UDAP.\n\n- base_url: points to a running instance of inferno. Typical values will be\n    \n    - Inferno production: [https://inferno.healthit.gov/suites](https://inferno.healthit.gov/suites)\n        \n    - Inferno QA: [https://inferno-qa.healthit.gov/suites](https://inferno-qa.healthit.gov/suites)\n        \n    - Local docker: [http://localhost](http://localhost)\n        \n    - Local development: [http://localhost:4567](http://localhost:4567)",
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
+		"_exporter_id": "32597978"
+	},
+	"item": [
+		{
+			"name": "Patient Read",
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{bearer_token}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{base_url}}/custom/{{target_suite}}/fhir/Patient/example",
+					"host": [
+						"{{base_url}}"
+					],
+					"path": [
+						"custom",
+						"{{target_suite}}",
+						"fhir",
+						"Patient",
+						"example"
+					]
+				}
+			},
+			"response": []
+		}
+	],
+	"event": [
+		{
+			"listen": "prerequest",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"exec": [
+					""
+				]
+			}
+		},
+		{
+			"listen": "test",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"exec": [
+					""
+				]
+			}
+		}
+	],
+	"variable": [
+		{
+			"key": "base_url",
+			"value": "https://inferno.healthit.gov/suites",
+			"type": "string"
+		},
+		{
+			"key": "target_suite",
+			"value": "smart_client_stu2_2",
+			"type": "string"
+		},
+		{
+			"key": "bearer_token",
+			"value": "",
+			"type": "string"
+		}
+	]
+}

data/lib/smart_app_launch/docs/smart_stu2_2_client_suite_description.md

@@ -0,0 +1,208 @@
+## Overview
+
+The SMART App Launch STU 2.2 Client Test Suite verifies the conformance of
+client systems to the STU 2.2.0 version of the HL7® FHIR®
+[SMART App Launch IG](https://hl7.org/fhir/smart-app-launch/STU2.2/).
+
+## Scope
+
+The SMART App Launch Client Test Suite verifies that systems correctly implement
+the aproach specified in the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2.2/)
+for authorizing and potentially authenticating with a server in order to gain 
+access to HL7® FHIR® APIs. The suite contains options for testing clients that follow the
+- [App Launch flow](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html), for
+  - Public clients not authenticating with the server.
+  - Confidential clients using [symmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html).
+  - Confidential clients using [asymmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).
+- [Backend Services flow](https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html),
+  which requires clients to use [asymmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).
+
+These tests are a **DRAFT** intended to allow implementers to perform
+preliminary checks of their systems against SMART requirements and 
+[provide feedback](https://github.com/inferno-framework/smart-app-launch-test-kit/issues)
+on the tests. Future versions of these tests may verify other
+requirements and may change the test verification logic.
+
+## Test Methodology
+
+For these tests Inferno simulates a SMART server. Testers will
+1. Choose which type of client to test during test session initialization.
+1. Provide registration details specific to the chosen client type as inputs,
+   including authentication details and optionally a client id if a specific
+   one should be used.
+2. Follow the appropriate SMART flow to request an access token using the
+   registered client id.
+3. Use that access token on a FHIR API request.
+
+The simulated server is relatively permissive in the sense that it will often
+provide successful responses even when the request is not conformant. When
+requesting authorization codes and access tokens, Inferno will provide one as
+long as it can find the client id and verify authentication. This allows incomplete
+systems to run the tests. However, these non-conformant requests will be flagged by
+the tests as failures so that systems will not pass the tests without being
+fully conformant.
+
+## Running the Tests
+
+### Quick Start
+
+Depending on which type of client was selected, the following inputs must be provided
+at a minimum by the tester to execute any tests in this suite:
+- **SMART App Launch Redirect URI(s)** (required for all *SMART App Launch* clients):
+  A comma-separated list of one or more URIs that the app will sepcify as the target
+  of the redirect for Inferno to use when providing the authorization code.
+- **SMART Confidential Symmetric Client Secret** (required for the *SMART App Launch Confidential
+  Symmetric* clients only)): The client secret that the confidential symmetric client will send with
+  token requests to authenticate the client to Inferno.
+- **SMART JSON Web Key Set (JWKS)** (required for *Confidential Asymmetric* clients): The SMART
+  client's public JSON Web Key Set including key(s) that Inferno will use to verify the signature
+  on incoming token requests. May be provided as either a publicly accessible url containing the
+  JWKS, or the raw JWKS.
+
+The *Additional Inputs* section below describes options available to customize
+the behavior of Inferno's server simulation.
+
+### Demonstration
+
+To try out these tests without a SMART client implementation, these tests can be demonstrated
+using the SMART App Launch server test suite.
+
+#### App Launch Demonstration
+
+1. Start an instance of the SMART App Launch STU2.2 Client test suite and choose
+   *SMART App Launch* options as the SMART Client Type: Public, Confidential Symmetric,
+   or Confidential Asymmetric. Remember the choice for later use.
+1. From the drop down in the upper left, select preset "Demo: Run Against the SMART Server Suite".
+1. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT".
+1. In a new tab, start an instance of the SMART App Launch STU2.2 Test Suite.
+1. From the drop down in the upper left, select the "Demo: Run Against the SMART Client Suite
+   ([security type])" preset corresponding to the client type choice made in step 1.
+1. Select test group **1** Standalone Launch from the left panel, click the "RUN TESTS" button
+   in the upper right, and click "SUBMIT". When prompted, click the link to authorize and
+   the tests will run to completion.
+1. Select test group **2** EHR Launch from the left panel, click the "RUN TESTS" button
+   in the upper right, and click "SUBMIT".
+1. When prompted to launch the app, return to the Client tests and open the `launch` link
+   in a new tab which will open a new copy of the server tests.
+1. When prompted in the new tab, click the link to authorize and the tests will run to completion.
+1. Select test group **4** Token Introspection from the left panel, click the "RUN ALL TESTS" button
+   in the upper right, and click "SUBMIT". When prompted, click the link to authorize and
+   the tests will run to completion.
+1. Return to the client tests and click the link to continue and complete the tests.
+
+The client tests should pass. The server tests are expected to have errors in the Token Introspection
+tests for the invalid token tests because Inferno is not able to associate the invalid token introspection
+test with the client session.
+
+#### Backend Services Demonstration
+
+The Backend Services server tests do not make a data access request, so a simple HTTP request
+generator in needed to demonstrate the Backend Services client tests. The following
+steps use [Postman](https://www.postman.com/) to generate the access request using 
+[this collection](https://github.com/inferno-framework/smart-app-launch-test-kit/blob/main/lib/smart_app_launch/docs/demo/FHIR%20Request.postman_collection.json). Install the app and import the collection before following these
+steps.
+
+1. Start an instance of the SMART App Launch STU2.2 Client test suite and choose
+   *SMART Backend Services Confidential Asymmetric Client* as the SMART Client Type.
+2. From the drop down in the upper left, select preset "Demo: Run Against the SMART Server Suite".
+3. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT".
+4. In a new tab, start an instance of the SMART App Launch STU2.2 Test Suite.
+5. From the drop down in the upper left, select preset "Demo: Run Against the SMART Client Suite (Confidential Asymmetric)".
+6. Select test group **3** Backend Services from the left panel, click the "RUN TESTS" button
+   in the upper right, and click "SUBMIT".
+7. Find the access token to use for the data access request by opening test **3.2.05** Authorization
+   request succeeds when supplied correct information, click on the "REQUESTS" tab, clicking on the "DETAILS"
+   button, and expanding the "Response Body". Copy the "access_token" value, which will be a ~100 character
+   string of letters and numbers (e.g., eyJjbGllbnRfaWQiOiJzbWFydF9jbGllbnRfdGVzdF9kZW1vIiwiZXhwaXJhdGlvbiI6MTc0MzUxNDk4Mywibm9uY2UiOiJlZDI5MWIwNmZhMTE4OTc4In0).
+8. Open Postman and open the "FHIR Request" Collection. Click the "Variables" tab and add the copied access token
+   as the current value of the `bearer_token` variable. Also update the
+   `base_url` value for where the test is running (see details on the "Overview" tab).
+   Save the collection.
+9. Select the "Patient Read" request and click "Send". A FHIR Patient resource should be returned.
+10. Return to the client tests and click the link to continue and complete the tests.
+
+The client tests should pass with the exception of test **1.2.02** Verify SMART Token Requests. This is
+expected as the Server tests make several intentionally invalid token requests. Inferno's simulated SMART
+server responds successfully to those requests when the client id can be identified, but flags them as
+not conformant causing these expected failures. Because responding with an access token to non-conformant
+token requests is itself not conformant there are corresponding failures on the server test in tests **3.2.02**,
+**3.2.03**, and **3.2.04**.
+
+### Additional Inputs
+
+#### Additional Registration Inputs
+
+Testers have the option to provide two additional SMART registration details:
+- **Client Id**: Testers may specify a client id for Inferno to use for the test session if they
+  have one already configured.
+- **SMART App Launch URL(s)** (available for all *SMART App Launch* clients): To demonstrate an EHR
+  launch, provide one or more URLs, separated by commas, that Inferno can use to launch the app.
+
+#### Inputs Controlling Token Responses
+
+Inferno's SMART simulation does not include the details needed to populate
+the token response [context data](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html)
+when requested by apps using scopes during the *SMART App Launch* flow. If the tested app
+needs and will request these details, the tester must provide them for Inferno
+to respond with using the following inputs:
+- **Launch Context** (available for all *SMART App Launch* clients): Testers can provide a JSON
+  array for Inferno to use as the base for building a token response on. This can include
+  keys like `"patient"` when the `launch/patient` scope will be requested. Note that when keys that Inferno
+  also populates (e.g. `access_token` or `id_token`) are included, the Inferno value will be returned.
+- **FHIR User Relative Reference** (available for all *SMART App Launch* clients): Testers
+  can provide a FHIR relative reference (`<resource type>/<id>`) for the FHIR user record
+  to return with the `id_token` when the `openid` and `fhirUser` scopes are requested. If populated,
+  include the corresponding resource in the **Available Resources** input (See the "Inputs
+  Controlling FHIR Responses" section) so that it can be accessed via FHIR read.
+
+#### Inputs Controlling FHIR Responses
+The focus of this test kit is on the auth protocol, so the simulated FHIR server implemented
+in this test suite is very simple. It will respond to any FHIR request with either:
+  - A resource from a tester-provided Bundle in the **Available Resources** input
+    if the request is a read matching a resource type and id found in the Bundle.
+  - Otherwise, the contents of the **Default FHIR Response** input, if provided.
+  - Otherwise, an OperationOutcome indicating no response was available.
+
+The two inputs that control these response include:
+- **Available Resources**: A FHIR Bundle of resources to make available via the
+  simulated FHIR sever. Each entry must contain a resource with the id element
+  populated. Each instance present will be available for retrieval from Inferno
+  at the endpoint: `<fhir-base>/<resource type>/<instance id>`. These will only
+  be available through the read interaction.
+- **FHIR Response to Echo**: A static FHIR JSON body for Inferno to return for all FHIR requests
+  not covered by reads of instances in the **Available Resources** input. In this case,
+  the simulation is a simple echo and Inferno does not check that the response is
+  appropriate for the request made.
+
+## Current Limitations
+
+This test kit is still in draft form and does not test all of the requirements and features
+described in the SMART App Launch IG for clients.
+
+The following sections list known gaps and limitations.
+
+### SMART Scope Checking and Fulfilment
+
+These tests do not verify any details about scopes, including that the
+- Requested scopes are conformant, such as that they have a valid format and are consistent
+  between authorization and refresh token requests.
+- Provided **Launch Context** input fullfils the requested data context scopes.
+- Access performed is allowed by the requested scope.
+
+### SMART Server Simulation Limitations
+
+This test suite contains a simulation of a SMART server which is not fully
+general and not all conformant clients may be able to interact with it. However, the intention
+is not to prevent systems from passing for making conformant choices that Inferno's simulation
+does not support. One specific example is that the SMART configuration metadata available at
+`.well-known/smart-configuration` for the simulated server is fixed and cannot be changed by
+testers at this time. Please report any issues that prevent conformant systems from passing in
+the [github repository's issues page](https://github.com/inferno-framework/smart-app-launch-test-kit/issues/).
+
+### FHIR Server Simulation Limitations
+
+The FHIR server simulation used to support clients in demonstrating their ability to access
+FHIR APIs using access tokens obtained using the SMART flows is very limited. Testers are currently
+able to provide a list of resources to be read and a single static response that will be echoed for any
+other FHIR request made. While Inferno will never implement a fully general FHIR server simulation,
+additional options, such as may be added in the future based on community feedback.

data/lib/smart_app_launch/endpoints/echoing_fhir_responder_endpoint.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require_relative '../urls'
+require_relative '../tags'
+require_relative 'mock_smart_server'
+
+module SMARTAppLaunch
+  class EchoingFHIRResponderEndpoint < Inferno::DSL::SuiteEndpoint
+    def test_run_identifier
+      MockSMARTServer.issued_token_to_client_id(request.headers['authorization']&.delete_prefix('Bearer '))
+    end
+
+    def make_response
+      return if response.status == 401 # set in update_result (expired token handling there)
+
+      response.content_type = 'application/fhir+json'
+      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.status = 200
+
+      # look for read of provided resources
+      read_response = tester_provided_read_response_body
+      if read_response.present?
+        response.body = read_response.to_json
+        return
+      end
+
+      # If the tester provided a response, echo it
+      # otherwise, operation outcome
+      echo_response = JSON.parse(result.input_json)
+        .find { |input| input['name'].include?('echoed_fhir_response') }
+        &.dig('value')
+      if echo_response.present?
+        response.body = echo_response
+        return
+      end
+      
+      response.status = 400
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(
+          severity: 'fatal', code: 'required',
+          details: FHIR::CodeableConcept.new(text: 'No response provided to echo.')
+        )
+      ).to_json  
+    end
+
+    def update_result
+      if MockSMARTServer.request_has_expired_token?(request)
+        MockSMARTServer.update_response_for_expired_token(response, 'Bearer token')
+        return
+      end
+
+      nil # never update for now
+    end
+
+    def tags
+      [ACCESS_TAG]
+    end
+
+    def tester_provided_read_response_body
+      resource_type = request.params[:one]
+      id = request.params[:two]
+
+      return unless resource_type.present? && id.present?
+      
+      resource_type_class = 
+        begin
+          FHIR.const_get(resource_type)
+        rescue NameError
+          nil
+        end
+      return unless resource_type_class.present?
+
+      resource_bundle = ehr_input_bundle
+      return unless resource_bundle.present?
+
+      find_resource_in_bundle(resource_bundle, resource_type_class, id)
+    end
+
+    def ehr_input_bundle
+      ehr_bundle_input = 
+        JSON.parse(result.input_json).find { |input| input['name'] == 'fhir_read_resources_bundle' }&.dig('value')
+      ehr_bundle = FHIR.from_contents(ehr_bundle_input) if ehr_bundle_input.present?
+      return ehr_bundle if ehr_bundle.is_a?(FHIR::Bundle)
+      
+      nil
+    rescue StandardError
+      nil
+    end
+
+    def find_resource_in_bundle(bundle, resource_type_class, id)
+      bundle.entry&.find do |entry|
+        entry.resource.is_a?(resource_type_class) && entry.resource.id == id
+      end&.resource
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server/authorization_endpoint.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require_relative '../../tags'
+require_relative 'smart_authorization_response_creation'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    class AuthorizationEndpoint < Inferno::DSL::SuiteEndpoint
+      include SMARTAuthorizationResponseCreation
+
+      def test_run_identifier  
+        request.params[:client_id]
+      end
+
+      def make_response
+        make_smart_authorization_response
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [AUTHORIZATION_TAG, AUTHORIZATION_CODE_TAG, SMART_TAG]
+      end
+    end
+  end
+end