smart_app_launch_test_kit 0.6.1 → 0.6.2

data/lib/smart_app_launch/client_stu2_2_suite.rb

@@ -1,8 +1,16 @@
-require_relative 'endpoints/mock_smart_server/token'
-require_relative 'endpoints/echoing_fhir_responder'
+require_relative 'endpoints/mock_smart_server/token_endpoint'
+require_relative 'endpoints/mock_smart_server/authorization_endpoint'
+require_relative 'endpoints/mock_smart_server/introspection_endpoint'
+require_relative 'endpoints/echoing_fhir_responder_endpoint'
+require_relative 'tags'
 require_relative 'urls'
-require_relative 'client_suite/client_registration_group'
-require_relative 'client_suite/client_access_group'
+require_relative 'client_suite/registration_alca_group'
+require_relative 'client_suite/registration_alcs_group'
+require_relative 'client_suite/registration_alp_group'
+require_relative 'client_suite/registration_bsca_group'
+require_relative 'client_suite/access_group'
+require_relative 'client_suite/oidc_jwks'
+require_relative 'client_suite/client_options'
 
 module SMARTAppLaunch
   class SMARTClientSTU22Suite < Inferno::TestSuite
@@ -33,7 +41,38 @@ module SMARTAppLaunch
       }
     ]
 
+    suite_option :client_type,
+                 title: 'SMART Client Type',
+                 list_options: [
+                   {
+                     label: 'SMART App Launch Public Client',
+                     value: SMARTClientOptions::SMART_APP_LAUNCH_PUBLIC
+                   },
+                   {
+                     label: 'SMART App Launch Confidential Symmetric Client',
+                     value: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+                   },
+                   {
+                     label: 'SMART App Launch Confidential Asymmetric Client',
+                     value: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+                   },
+                   {
+                     label: 'SMART Backend Services Confidential Asymmetric Client',
+                     value: SMARTClientOptions::SMART_BACKEND_SERVICES_CONFIDENTIAL_ASYMMETRIC
+                   }
+                 ]
+
     route(:get, SMART_DISCOVERY_PATH, ->(_env) {MockSMARTServer.smart_server_metadata(id) }) 
+    route(:get, OIDC_DISCOVERY_PATH, ->(_env) {MockSMARTServer.openid_connect_metadata(id) }) 
+    route(
+      :get,
+      OIDC_JWKS_PATH,
+      ->(_env) { [200, { 'Content-Type' => 'application/json' }, [OIDCJWKS.jwks_json]] }
+    )
+
+    suite_endpoint :get, AUTHORIZATION_PATH, MockSMARTServer::AuthorizationEndpoint
+    suite_endpoint :post, AUTHORIZATION_PATH, MockSMARTServer::AuthorizationEndpoint
+    suite_endpoint :post, INTROSPECTION_PATH, MockSMARTServer::IntrospectionEndpoint
     suite_endpoint :post, TOKEN_PATH, MockSMARTServer::TokenEndpoint
     suite_endpoint :get, FHIR_PATH, EchoingFHIRResponderEndpoint
     suite_endpoint :post, FHIR_PATH, EchoingFHIRResponderEndpoint
@@ -60,20 +99,22 @@ module SMARTAppLaunch
       request.query_parameters['token']
     end
 
-    group do
-      title 'SMART Backend Services'
-      description %(
-        During these tests, the client will use SMART Backend Services
-        to access a FHIR API. Clients will provide registeration details,
-        obtain an access token, and use the access token when making a
-        request to a FHIR API.
-      )
-
-      input :smart_jwk_set,
-            optional: false
-
-      group from: :smart_client_registration
-      group from: :smart_client_access
-    end
+    group from: :smart_client_registration_alca,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+         }
+    group from: :smart_client_registration_alcs,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+         }
+    group from: :smart_client_registration_alp,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_PUBLIC
+         }
+    group from: :smart_client_registration_bsca,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_BACKEND_SERVICES_CONFIDENTIAL_ASYMMETRIC
+         }
+    group from: :smart_client_access
   end
 end

data/lib/smart_app_launch/client_suite/access_alca_interaction_test.rb

@@ -0,0 +1,75 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientAccessAppLaunchConfidentialAsymmetricInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :smart_client_access_alca_interaction
+    title 'Access a secured FHIR endpoint using SMART App Launch'
+    description %(
+      During this test, Inferno will wait for the confidential asymmetric client to access data
+      using a SMART token obtained using the SMART App Launch EHR launch
+      or standalone launch flow.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_launch_urls,
+          title: 'SMART App Launch URL(s)',
+          type: 'textarea',
+          locked: true,
+          optional: true,
+          description: INPUT_SMART_LAUNCH_URLS_DESCRIPTION_LOCKED
+    input :launch_context,
+          title: 'Launch Context',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_LAUNCH_CONTEXT_DESCRIPTION       
+    input :fhir_user_relative_reference,
+          title: 'FHIR User Relative Reference',
+          type: 'text',
+          optional: true,
+          description: INPUT_FHIR_USER_RELATIVE_REFERENCE
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    output :launch_key
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      begin
+        JSON.parse(launch_context) if launch_context.present?
+      rescue JSON::ParserError
+        add_message(
+          'warning', 
+          'Input **Launch Context** is not valid JSON and will be disregarded when responding to token requests'
+        )
+      end
+
+      wait(
+        identifier: client_id,
+        message: access_wait_dialog_app_launch_access_prefix(client_id, 'confidential asymmetric', client_fhir_base_url) +
+                 access_wait_dialog_ehr_launch_instructions(smart_launch_urls, client_fhir_base_url) +
+                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+      )
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/access_alcs_interaction_test.rb

@@ -0,0 +1,75 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientAccessAppLaunchConfidentialSymmetricInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :smart_client_access_alcs_interaction
+    title 'Access a secured FHIR endpoint using SMART App Launch'
+    description %(
+      During this test, Inferno will wait for the confidential symmetric client to access data
+      using a SMART token obtained using the SMART App Launch EHR launch
+      or standalone launch flow.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_launch_urls,
+          title: 'SMART App Launch URL(s)',
+          type: 'textarea',
+          locked: true,
+          optional: true,
+          description: INPUT_SMART_LAUNCH_URLS_DESCRIPTION_LOCKED
+    input :launch_context,
+          title: 'Launch Context',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_LAUNCH_CONTEXT_DESCRIPTION       
+    input :fhir_user_relative_reference,
+          title: 'FHIR User Relative Reference',
+          type: 'text',
+          optional: true,
+          description: INPUT_FHIR_USER_RELATIVE_REFERENCE
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    output :launch_key
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      begin
+        JSON.parse(launch_context) if launch_context.present?
+      rescue JSON::ParserError
+        add_message(
+          'warning', 
+          'Input **Launch Context** is not valid JSON and will be disregarded when responding to token requests'
+        )
+      end
+
+      wait(
+        identifier: client_id,
+        message: access_wait_dialog_app_launch_access_prefix(client_id, 'confidential symmetric', client_fhir_base_url) +
+                 access_wait_dialog_ehr_launch_instructions(smart_launch_urls, client_fhir_base_url) +
+                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+      )
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/access_alp_interaction_test.rb

@@ -0,0 +1,75 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientAccessAppLaunchPublicInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :smart_client_access_alp_interaction
+    title 'Access a secured FHIR endpoint using SMART App Launch'
+    description %(
+      During this test, Inferno will wait for the public client to access data
+      using a SMART token obtained using the SMART App Launch EHR launch
+      or standalone launch flow.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_launch_urls,
+          title: 'SMART App Launch URL(s)',
+          type: 'textarea',
+          locked: true,
+          optional: true,
+          description: INPUT_SMART_LAUNCH_URLS_DESCRIPTION_LOCKED
+    input :launch_context,
+          title: 'Launch Context',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_LAUNCH_CONTEXT_DESCRIPTION       
+    input :fhir_user_relative_reference,
+          title: 'FHIR User Relative Reference',
+          type: 'text',
+          optional: true,
+          description: INPUT_FHIR_USER_RELATIVE_REFERENCE
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    output :launch_key
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      begin
+        JSON.parse(launch_context) if launch_context.present?
+      rescue JSON::ParserError
+        add_message(
+          'warning', 
+          'Input **Launch Context** is not valid JSON and will be disregarded when responding to token requests'
+        )
+      end
+
+      wait(
+        identifier: client_id,
+        message: access_wait_dialog_app_launch_access_prefix(client_id, 'public', client_fhir_base_url) +
+                 access_wait_dialog_ehr_launch_instructions(smart_launch_urls, client_fhir_base_url) +
+                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+      )
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/access_bsca_interaction_test.rb

@@ -0,0 +1,46 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientAccessBackendServicesConfidentialAsymmetricInteraction < Inferno::Test
+    include URLs
+    include ClientWaitDialogDescriptions
+
+    id :smart_client_access_bsca_interaction
+    title 'Access a secured FHIR endpoint using SMART Backend Services'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a SMART token obtained using the Backend Services flow.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :fhir_read_resources_bundle,
+          title: 'Available Resources',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_FHIR_READ_RESOURCES_BUNDLE_DESCRIPTION
+    input :echoed_fhir_response,
+          title: 'Default FHIR Response',
+          type: 'textarea',
+          optional: true,
+          description: INPUT_ECHOED_FHIR_RESPONSE_DESCRIPTION
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      wait(
+        identifier: client_id,
+        message: access_wait_dialog_backend_services_access_prefix(client_id, client_fhir_base_url) + 
+                 access_wait_dialog_access_response_and_continue_suffix(client_id, client_resume_pass_url)
+      )
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/access_group.rb

@@ -0,0 +1,85 @@
+require_relative 'access_alca_interaction_test'
+require_relative 'access_alcs_interaction_test'
+require_relative 'access_alp_interaction_test'
+require_relative 'access_bsca_interaction_test'
+require_relative 'authorization_request_verification_test'
+require_relative 'token_request_alca_verification_test'
+require_relative 'token_request_alcs_verification_test'
+require_relative 'token_request_alp_verification_test'
+require_relative 'token_request_bsca_verification_test'
+require_relative 'token_use_verification_test'
+require_relative '../tags'
+
+module SMARTAppLaunch
+  class SMARTClientAccess < Inferno::TestGroup
+    id :smart_client_access
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server that is protected using SMART. The client will request
+      an access token using the OAuth flow setup during registration and will then
+      make a FHIR request using that token.
+
+      Inferno will then verify that any OAuth requests made were conformant
+      and that a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    # Access Interaction Test (All, different for each)
+    test from: :smart_client_access_alca_interaction,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+         }
+    test from: :smart_client_access_alcs_interaction,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+         }
+    test from: :smart_client_access_alp_interaction,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_PUBLIC
+         }
+    test from: :smart_client_access_bsca_interaction,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_BACKEND_SERVICES_CONFIDENTIAL_ASYMMETRIC
+         }
+
+    # Authorization Request Verification (app launch only, same for each)
+    test from: :smart_client_authorization_request_verification,
+         id: :smart_client_authorization_request_alca_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+         }
+    test from: :smart_client_authorization_request_verification,
+         id: :smart_client_authorization_request_alcs_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+         }
+    test from: :smart_client_authorization_request_verification,
+         id: :smart_client_authorization_request_alp_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_PUBLIC
+         }
+    
+    # Access token request (All, different for each)
+    test from: :smart_client_token_request_alca_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+         }
+    test from: :smart_client_token_request_alcs_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+         }
+    test from: :smart_client_token_request_alp_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_APP_LAUNCH_PUBLIC
+         }
+    test from: :smart_client_token_request_bsca_verification,
+         required_suite_options: {
+           client_type: SMARTClientOptions::SMART_BACKEND_SERVICES_CONFIDENTIAL_ASYMMETRIC
+         }
+
+    # Access token use (all the same)
+    test from: :smart_client_token_use_verification
+  end
+end

data/lib/smart_app_launch/client_suite/authentication_verification.rb

@@ -0,0 +1,86 @@
+require 'jwt'
+require_relative 'client_options'
+require_relative '../endpoints/mock_smart_server'
+
+module SMARTAppLaunch
+  module AuthenticationVerification
+    def check_authentication(authentication_apporach, request, request_params, jti_list, request_num)
+      case authentication_apporach
+      when CONFIDENTIAL_ASYMMETRIC_TAG
+        check_client_assertion(request_params['client_assertion'], jti_list, request_num)
+      when CONFIDENTIAL_SYMMETRIC_TAG
+        check_authorization_header(request, request_num)
+      end
+    end
+
+    def check_authorization_header(request, request_num)
+      authorization_header_value = request.request_header('authorization')&.value
+      error = MockSMARTServer.confidential_symmetric_header_value_error(authorization_header_value, client_id,
+                                                                        smart_client_secret)
+      if error.present?
+        add_message('error', "Token request #{request_num} invalid: #{e}")
+      end
+    end
+
+    def check_client_assertion(assertion, jti_list, request_num)
+      decoded_token =
+        begin
+          JWT::EncodedToken.new(assertion)
+        rescue StandardError => e
+          add_message('error', "Token request #{request_num} contained an invalid client assertion jwt: #{e}")
+          nil
+        end
+
+      return unless decoded_token.present?
+
+      check_jwt_header(decoded_token.header, request_num)
+      check_jwt_payload(decoded_token.payload, jti_list, request_num)
+      check_jwt_signature(decoded_token, request_num)
+    end
+
+    def check_jwt_header(header, request_num)
+      return unless header['typ'] != 'JWT'
+
+      add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `typ` header: " \
+                           "expected 'JWT', got '#{header['typ']}'")
+    end
+
+    def check_jwt_payload(claims, jti_list, request_num)
+      if claims['iss'] != client_id
+        add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `iss` claim: " \
+                             "expected '#{client_id}', got '#{claims['iss']}'")
+      end
+
+      if claims['sub'] != client_id
+        add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `sub` claim: " \
+                             "expected '#{client_id}', got '#{claims['sub']}'")
+      end
+
+      if claims['aud'] != client_token_url
+        add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `aud` claim: " \
+                             "expected '#{client_token_url}', got '#{claims['aud']}'")
+      end
+
+      if claims['exp'].blank?
+        add_message('error', "client assertion jwt on token request #{request_num} is missing the `exp` claim.")
+      end
+
+      if claims['jti'].blank?
+        add_message('error', "client assertion jwt on token request #{request_num} is missing the `jti` claim.")
+      elsif jti_list.include?(claims['jti'])
+        add_message('error', "client assertion jwt on token request #{request_num} has a `jti` claim that was " \
+                             "previouly used: '#{claims['jti']}'.")
+      else
+        jti_list << claims['jti']
+      end
+    end
+
+    def check_jwt_signature(encoded_token, request_num)
+      error = MockSMARTServer.smart_assertion_signature_verification(encoded_token, smart_jwk_set)
+
+      return unless error.present?
+
+      add_message('error', "Signature validation failed on token request #{request_num}: #{error}")
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/authorization_request_verification_test.rb

@@ -0,0 +1,108 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'client_descriptions'
+
+module SMARTAppLaunch
+  class SMARTClientAppLaunchAuthorizationRequestVerification < Inferno::Test
+    include URLs
+
+    id :smart_client_authorization_request_verification
+    title 'Verify SMART App Launch Authorization Requests'
+    description %(
+      Check that SMART authorization requests made are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_redirect_uris,
+          title: 'SMART App Launch Redirect URI(s)',
+          type: 'textarea',
+          locked: true,
+          description: INPUT_SMART_REDIRECT_URIS_DESCRIPTION_LOCKED
+    input :launch_key,      # from app launch access interaction test, 
+          optional: true    # present if client registered for ehr launch but won't know if did ehr or standalone
+          
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+    
+    run do
+      load_tagged_requests(AUTHORIZATION_TAG, SMART_TAG)
+      skip_if requests.blank?, 'No SMART authorization requests made.'
+
+      requests.each_with_index do |authorization_request, index|
+        auth_code_request_params = MockSMARTServer.authorization_code_request_details(authorization_request)
+        check_request_params(auth_code_request_params, index + 1)
+      end
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid authorization requests detected. See messages for details.'
+    end
+
+    def check_request_params(params, request_num)
+      if params['response_type'] != 'code'
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `response_type`: expected 'code', " \
+                    "but got '#{params['response_type']}'")
+      end
+      if params['client_id'] != client_id
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `client_id`: expected #{client_id}, " \
+                    "but got '#{params['client_id']}'")
+      end
+      if params['redirect_uri'].blank?
+        add_message('error',
+                    "Authorization request #{request_num} is missing the `redirect_uri` element")
+      else
+        if smart_redirect_uris.blank?
+          add_message('error',
+                      'No redirect URIs registered to check against the `redirect_uri` element ' \
+                      "in authorization request #{request_num} is missing the `redirect_uri` element")
+        elsif !smart_redirect_uris.split(',').include?(params['redirect_uri'])
+          add_message('error',
+                      "Authorization request #{request_num} had an unregistered `redirect_uri`: " \
+                      "got #{params['redirect_uri']}, but expected one of '#{smart_redirect_uris}'")
+        end
+      end
+      # for ehr launch, `launch` value must be the one Inferno generated
+      # but can't know if this was intended to be ehr or standalone if `launch` isn't there
+      # and currently the tests allow either standalone or ehr launch
+      if launch_key.present? && params['launch'].present? && params['launch'] != launch_key
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `launch`: expected #{launch_key}, " \
+                    "but got '#{params['launch']}'")
+      end
+     
+      if params['state'].blank?
+        add_message('error',
+                    "Authorization request #{request_num} is missing the `state` element")
+      end
+      if params['aud'] != client_fhir_base_url
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `aud`: " \
+                    "expected '#{client_fhir_base_url}', but got '#{params['aud']}'")
+      end
+      if params['code_challenge'].blank?
+        add_message('error',
+                    "Authorization request #{request_num} is missing the `code_challenge` element")
+      end
+      if params['code_challenge_method'] != 'S256'
+        add_message('error',
+                    "Authorization request #{request_num} had an incorrect `code_challenge_method`: " \
+                    "expected 'S256', but got '#{params['code_challenge_method']}'")
+      end
+      if params['scope'].blank?
+        add_message('error', "Token request #{request_num} did not include the requested `scope`")
+      end
+
+      nil
+    end
+  end
+end