smart_app_launch_test_kit 0.6.1 → 0.6.3

data/lib/smart_app_launch/client_suite/token_request_alp_verification_test.rb

@@ -0,0 +1,48 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'authentication_verification'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestAppLaunchPublicVerification < Inferno::Test
+    include URLs
+    include AuthenticationVerification
+    include TokenRequestVerification
+
+    id :smart_client_token_request_alp_verification
+    title 'Verify SMART Token Requests'
+    description %(
+      Check that SMART token requests are conformant.
+    )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: false,
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    
+    output :smart_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+    
+    run do
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, AUTHORIZATION_CODE_TAG)
+      skip_if requests.blank?, 'No SMART authorization code token requests made.'
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well
+
+      verify_token_requests(AUTHORIZATION_CODE_TAG, PUBLIC_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_request_bsca_verification_test.rb

@@ -0,0 +1,53 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+require_relative 'authentication_verification'
+require_relative 'client_descriptions'
+require_relative 'client_options'
+require_relative 'token_request_verification'
+
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestBackendServicesConfidentialAsymmetricVerification < Inferno::Test
+    include URLs
+    include AuthenticationVerification
+    include TokenRequestVerification
+
+    id :smart_client_token_request_bsca_verification
+    title 'Verify SMART Token Requests'
+    description %(
+        Check that SMART token requests are conformant.
+      )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: INPUT_CLIENT_ID_DESCRIPTION_LOCKED
+    input :smart_jwk_set,
+          title: 'JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          locked: true,
+          description: INPUT_CLIENT_JWKS_DESCRIPTION_LOCKED
+    
+    output :smart_tokens
+
+    def client_suite_id
+      return config.options[:endpoint_suite_id] if config.options[:endpoint_suite_id].present?
+
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+
+    run do
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, CLIENT_CREDENTIALS_TAG)
+      skip_if requests.blank?, 'No SMART token requests made.'
+      load_tagged_requests(TOKEN_TAG, SMART_TAG, REFRESH_TOKEN_TAG) # verify refresh_requests as well (shouldn't be any)
+
+      verify_token_requests(CLIENT_CREDENTIALS_TAG, CONFIDENTIAL_ASYMMETRIC_TAG)
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests received. See messages for details.'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/token_request_verification.rb

@@ -0,0 +1,116 @@
+module SMARTAppLaunch
+  module TokenRequestVerification
+    
+    def verify_token_requests(oauth_flow, authentication_approach)
+      jti_list = []
+      token_list = []
+      requests.each_with_index do |token_request, index|
+        request_params = URI.decode_www_form(token_request.request_body).to_h
+        request_params['grant_type'] != 'refresh_token' ?
+          check_request_params(request_params, oauth_flow, authentication_approach, index + 1) :
+          check_refresh_request_params(request_params, oauth_flow, authentication_approach, index + 1)
+        check_authentication(authentication_approach, token_request, request_params, jti_list, index + 1)
+        
+        token_list << extract_token_from_response(token_request)
+      end
+
+      output smart_tokens: token_list.compact.join("\n")
+    end
+    
+    def check_request_params(params, oauth_flow, authentication_approach, request_num)
+      if params['grant_type'] != oauth_flow
+        add_message('error',
+                    "Token request #{request_num} had an incorrect `grant_type`: expected #{oauth_flow}, " \
+                    "but got '#{params['grant_type']}'")
+      end
+      if authentication_approach == CONFIDENTIAL_ASYMMETRIC_TAG && 
+         params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        add_message('error',
+                    "Confidential asymmetric token request #{request_num} had an incorrect `client_assertion_type`: " \
+                    "expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
+                    "but got '#{params['client_assertion_type']}'")
+      end
+      if oauth_flow == CLIENT_CREDENTIALS_TAG && params['scope'].blank?
+        add_message('error', "Client credentials token request #{request_num} did not include the requested `scope`")
+      end
+      if authentication_approach == PUBLIC_TAG && params['client_id'] != client_id
+        add_message('error', "Public client token request #{request_num} had an incorrect `client` value: " \
+                             "expected '#{client_id}' but got '#{params['client_id']}'")
+      end
+
+      check_authorization_code_request_params(params, request_num) if oauth_flow == AUTHORIZATION_CODE_TAG
+
+      nil
+    end
+
+    def check_authorization_code_request_params(params, request_num)
+      if params['code'].present?
+
+        authorization_request = MockSMARTServer.authorization_request_for_code(params['code'], test_session_id)
+
+        if authorization_request.present?
+          authorization_body = MockSMARTServer.authorization_code_request_details(authorization_request)
+
+          if params['redirect_uri'] != authorization_body['redirect_uri']
+            add_message('error', "Authorization code token request #{request_num} included an incorrect " \
+                                 "`redirect_uri` value: expected '#{authorization_body['redirect_uri']} " \
+                                 "but got '#{params['redirect_uri']}'")
+          end
+
+          pkce_error = MockSMARTServer.pkce_error(params['code_verifier'],
+                                                  authorization_body['code_challenge'],
+                                                  authorization_body['code_challenge_method'])
+          if pkce_error.present?
+            add_message('error', 'Error performing pkce verification on the `code_verifier` value in ' \
+                                 "authorization code token request #{request_num}: #{pkce_error}")
+          end
+        else
+          add_message('error', "Authorization code token request #{request_num} included a code not " \
+                               "issued during this test session: '#{params['code']}'")
+        end
+      else
+        add_message('error', "Authorization code token request #{request_num} missing a `code`")
+      end
+    end
+
+    def check_refresh_request_params(params, oauth_flow, authentication_approach, request_num)
+      if oauth_flow == CLIENT_CREDENTIALS_TAG
+        add_message('error',
+                    "Invalid refresh request #{request_num} found during client_credentials flow.")
+        return
+      end
+      
+      if params['grant_type'] != 'refresh_token'
+        add_message('error',
+                    "Refresh request #{request_num} had an incorrect `grant_type`: expected 'refresh_token', " \
+                    "but got '#{params['grant_type']}'")
+      end
+      if authentication_approach == CONFIDENTIAL_ASYMMETRIC_TAG && 
+          params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        add_message('error',
+                    "Confidential asymmetric refresh request #{request_num} had an incorrect `client_assertion_type`: " \
+                    "expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
+                    "but got '#{params['client_assertion_type']}'")
+      end
+
+      authorization_code = MockSMARTServer.refresh_token_to_authorization_code(params['refresh_token'])
+      authorization_request = MockSMARTServer.authorization_request_for_code(authorization_code, test_session_id)
+      if authorization_request.present?
+        # todo - check that the scope is a subset of the original authorization code request
+      else
+        add_message('error', "Authorization code token refresh request #{request_num} included a refresh token not " \
+                             "issued during this test session: '#{params['refresh_token']}'")
+      end
+
+      nil
+    end
+
+    def extract_token_from_response(request)
+      return unless request.status == 200
+
+      JSON.parse(request.response_body)&.dig('access_token')
+    rescue
+      nil
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/{client_token_use_verification_test.rb → token_use_verification_test.rb}

@@ -3,7 +3,6 @@ require_relative '../endpoints/mock_smart_server'
 
 module SMARTAppLaunch
   class SMARTClientTokenUseVerification < Inferno::Test
-
     id :smart_client_token_use_verification
     title 'Verify SMART Token Use'
     description %(
@@ -11,11 +10,8 @@ module SMARTAppLaunch
         authentication.
       )
 
-    input :smart_tokens,
+    input :smart_tokens, # from :smart_client_token_request_verification
           optional: true # verified in the test to return a more specific error message
-    input :smart_jwk_set,
-          optional: false,
-          locked: true
 
     def access_request_tags
       return config.options[:access_request_tags] if config.options[:access_request_tags].present?
@@ -24,9 +20,6 @@ module SMARTAppLaunch
     end
 
     run do
-      omit_if smart_jwk_set.blank?, # for re-use: mark the smart_jwk_set input as optional when importing to enable
-        'SMART Authentication not demonstrated as a part of this test session.'
-
       access_requests = access_request_tags.map do |access_request_tag|
         load_tagged_requests(access_request_tag).reject { |access| access.status == 401 }
       end.flatten

data/lib/smart_app_launch/docs/smart_stu2_2_client_suite_description.md

@@ -7,11 +7,15 @@ client systems to the STU 2.2.0 version of the HL7® FHIR®
 ## Scope
 
 The SMART App Launch Client Test Suite verifies that systems correctly implement
-the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2.2/)
-for authorizating and/or authenticating with a server in order to gain 
-access to HL7® FHIR® APIs. At this time, the suite only contains tests for
-the [Backend Services](https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html)
-flow.
+the aproach specified in the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2.2/)
+for authorizing and potentially authenticating with a server in order to gain 
+access to HL7® FHIR® APIs. The suite contains options for testing clients that follow the
+- [App Launch flow](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html), for
+  - Public clients not authenticating with the server.
+  - Confidential clients using [symmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html).
+  - Confidential clients using [asymmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).
+- [Backend Services flow](https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html),
+  which requires clients to use [asymmetric authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).
 
 These tests are a **DRAFT** intended to allow implementers to perform
 preliminary checks of their systems against SMART requirements and 
@@ -21,18 +25,20 @@ requirements and may change the test verification logic.
 
 ## Test Methodology
 
-For these tests Inferno simulates a SMART server that supports the backend services
-flow. Testers will
-1. Provide registration details as inputs, including a JSON Web Key Set (JWKS)
-   an optionally a client id if a specific one should be used.
-2. Request an access token using the registered JWKS and client id.
+For these tests Inferno simulates a SMART server. Testers will
+1. Choose which type of client to test during test session initialization.
+1. Provide registration details specific to the chosen client type as inputs,
+   including authentication details and optionally a client id if a specific
+   one should be used.
+2. Follow the appropriate SMART flow to request an access token using the
+   registered client id.
 3. Use that access token on a FHIR API request.
 
 The simulated server is relatively permissive in the sense that it will often
 provide successful responses even when the request is not conformant. When
-requesting tokens, Inferno will return an access token as long as it can find
-the client id and the signature is valid. This allows incomplete systems to
-run the tests. However, these non-conformant requests will be flagged by
+requesting authorization codes and access tokens, Inferno will provide one as
+long as it can find the client id and verify authentication. This allows incomplete
+systems to run the tests. However, these non-conformant requests will be flagged by
 the tests as failures so that systems will not pass the tests without being
 fully conformant.
 
@@ -40,34 +46,74 @@ fully conformant.
 
 ### Quick Start
 
-The following inputs must be provided by the tester at a minimum to execute
-any tests in this suite:
-1. **SMART JSON Web Key Set (JWKS)**: The SMART client's public JSON Web Key Set including
-   key(s) that Inferno will use to verify the signature on incoming token requests. May
-   be provided as either a publicly accessible url containing the JWKS, or the raw JWKS.
+Depending on which type of client was selected, the following inputs must be provided
+at a minimum by the tester to execute any tests in this suite:
+- **SMART App Launch Redirect URI(s)** (required for all *SMART App Launch* clients):
+  A comma-separated list of one or more URIs that the app will sepcify as the target
+  of the redirect for Inferno to use when providing the authorization code.
+- **SMART Confidential Symmetric Client Secret** (required for the *SMART App Launch Confidential
+  Symmetric* clients only): The client secret that the confidential symmetric client will send with
+  token requests to authenticate the client to Inferno.
+- **SMART JSON Web Key Set (JWKS)** (required for *Confidential Asymmetric* clients): The SMART
+  client's public JSON Web Key Set including key(s) that Inferno will use to verify the signature
+  on incoming token requests. May be provided as either a publicly accessible url containing the
+  JWKS, or the raw JWKS.
 
 The *Additional Inputs* section below describes options available to customize
 the behavior of Inferno's server simulation.
 
 ### Demonstration
 
-To try out these tests without a SMART client implementation, these tests can be exercised
-using the SMART App Launch server test suite and a simple HTTP request generator. The following
+To try out these tests without a SMART client implementation, these tests can be demonstrated
+using the SMART App Launch server test suite.
+
+#### App Launch Demonstration
+
+1. Start an instance of the SMART App Launch STU2.2 Client test suite and choose
+   *SMART App Launch* options as the SMART Client Type: Public, Confidential Symmetric,
+   or Confidential Asymmetric. Remember the choice for later use.
+1. From the drop down in the upper left, select preset "Demo: Run Against the SMART Server Suite".
+1. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT".
+1. In a new tab, start an instance of the SMART App Launch STU2.2 Test Suite.
+1. From the drop down in the upper left, select the "Demo: Run Against the SMART Client Suite
+   ([security type])" preset corresponding to the client type choice made in step 1.
+1. Select test group **1** Standalone Launch from the left panel, click the "RUN TESTS" button
+   in the upper right, and click "SUBMIT". When prompted, click the link to authorize and
+   the tests will run to completion.
+1. Select test group **2** EHR Launch from the left panel, click the "RUN TESTS" button
+   in the upper right, and click "SUBMIT".
+1. When prompted to launch the app, return to the Client tests and open the `launch` link
+   in a new tab which will open a new copy of the server tests.
+1. When prompted in the new tab, click the link to authorize and the tests will run to completion.
+1. Select test group **4** Token Introspection from the left panel, click the "RUN ALL TESTS" button
+   in the upper right, and click "SUBMIT". When prompted, click the link to authorize and
+   the tests will run to completion.
+1. Return to the client tests and click the link to continue and complete the tests.
+
+The client tests should pass. The server tests are expected to have errors in the Token Introspection
+tests for the invalid token tests because Inferno is not able to associate the invalid token introspection
+test with the client session.
+
+#### Backend Services Demonstration
+
+The Backend Services server tests do not make a data access request, so a simple HTTP request
+generator in needed to demonstrate the Backend Services client tests. The following
 steps use [Postman](https://www.postman.com/) to generate the access request using 
 [this collection](https://github.com/inferno-framework/smart-app-launch-test-kit/blob/main/lib/smart_app_launch/docs/demo/FHIR%20Request.postman_collection.json). Install the app and import the collection before following these
 steps.
 
-1. Start an instance of the SMART App Launch STU2.2 Client test suite.
+1. Start an instance of the SMART App Launch STU2.2 Client test suite and choose
+   *SMART Backend Services Confidential Asymmetric Client* as the SMART Client Type.
 2. From the drop down in the upper left, select preset "Demo: Run Against the SMART Server Suite".
-3. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT"
-4. In a new tab, start an instance of the SMART App Launch STU2.2 Test Suite
-5. From the drop down in the upper left, select preset "Demo: Run Against the SMART Client Suite"
+3. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT".
+4. In a new tab, start an instance of the SMART App Launch STU2.2 Test Suite.
+5. From the drop down in the upper left, select preset "Demo: Run Against the SMART Client Suite (Confidential Asymmetric)".
 6. Select test group **3** Backend Services from the left panel, click the "RUN TESTS" button
-   in the upper right, and click "SUBMIT"
+   in the upper right, and click "SUBMIT".
 7. Find the access token to use for the data access request by opening test **3.2.05** Authorization
    request succeeds when supplied correct information, click on the "REQUESTS" tab, clicking on the "DETAILS"
    button, and expanding the "Response Body". Copy the "access_token" value, which will be a ~100 character
-   string of letters and numbers (e.g., eyJjbGllbnRfaWQiOiJzbWFydF9jbGllbnRfdGVzdF9kZW1vIiwiZXhwaXJhdGlvbiI6MTc0MzUxNDk4Mywibm9uY2UiOiJlZDI5MWIwNmZhMTE4OTc4In0)
+   string of letters and numbers (e.g., eyJjbGllbnRfaWQiOiJzbWFydF9jbGllbnRfdGVzdF9kZW1vIiwiZXhwaXJhdGlvbiI6MTc0MzUxNDk4Mywibm9uY2UiOiJlZDI5MWIwNmZhMTE4OTc4In0).
 8. Open Postman and open the "FHIR Request" Collection. Click the "Variables" tab and add the copied access token
    as the current value of the `bearer_token` variable. Also update the
    `base_url` value for where the test is running (see details on the "Overview" tab).
@@ -80,31 +126,72 @@ expected as the Server tests make several intentionally invalid token requests.
 server responds successfully to those requests when the client id can be identified, but flags them as
 not conformant causing these expected failures. Because responding with an access token to non-conformant
 token requests is itself not conformant there are corresponding failures on the server test in tests **3.2.02**,
-**3.2.04**, and **3.2.04**. There may be other SMART server test failures due to an assumption that
-servers support the app launch capabilities in addition to backend services.
+**3.2.03**, and **3.2.04**.
 
 ### Additional Inputs
 
-Two additional inputs are available to support testers 
+#### Additional Registration Inputs
+
+Testers have the option to provide two additional SMART registration details:
 - **Client Id**: Testers may specify a client id for Inferno to use for the test session if they
   have one already configured.
-- **FHIR Response to Echo**: The focus of this test kit is on the auth protocol, so the
-  simulated FHIR server implemented in this test suite is very simple and will by default
-  return a FHIR OperationOutcome to any request made. Testers may provide a static
-  FHIR JSON body for Inferno to return instead. In this case, the simulation is a simple
-  echo and Inferno does not check that the response if appropriate for the request made.
+- **SMART App Launch URL(s)** (available for all *SMART App Launch* clients): To demonstrate an EHR
+  launch, provide one or more URLs, separated by commas, that Inferno can use to launch the app.
+
+#### Inputs Controlling Token Responses
+
+Inferno's SMART simulation does not include the details needed to populate
+the token response [context data](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html)
+when requested by apps using scopes during the *SMART App Launch* flow. If the tested app
+needs and will request these details, the tester must provide them for Inferno
+to respond with using the following inputs:
+- **Launch Context** (available for all *SMART App Launch* clients): Testers can provide a JSON
+  array for Inferno to use as the base for building a token response on. This can include
+  keys like `"patient"` when the `launch/patient` scope will be requested. Note that when keys that Inferno
+  also populates (e.g. `access_token` or `id_token`) are included, the Inferno value will be returned.
+- **FHIR User Relative Reference** (available for all *SMART App Launch* clients): Testers
+  can provide a FHIR relative reference (`<resource type>/<id>`) for the FHIR user record
+  to return with the `id_token` when the `openid` and `fhirUser` scopes are requested. If populated,
+  include the corresponding resource in the **Available Resources** input (See the "Inputs
+  Controlling FHIR Responses" section) so that it can be accessed via FHIR read.
+
+#### Inputs Controlling FHIR Responses
+The focus of this test kit is on the auth protocol, so the simulated FHIR server implemented
+in this test suite is very simple. It will respond to any FHIR request with either:
+  - A resource from a tester-provided Bundle in the **Available Resources** input
+    if the request is a read matching a resource type and id found in the Bundle.
+  - Otherwise, the contents of the **Default FHIR Response** input, if provided.
+  - Otherwise, an OperationOutcome indicating no response was available.
+
+The two inputs that control these response include:
+- **Available Resources**: A FHIR Bundle of resources to make available via the
+  simulated FHIR sever. Each entry must contain a resource with the id element
+  populated. Each instance present will be available for retrieval from Inferno
+  at the endpoint: `<fhir-base>/<resource type>/<instance id>`. These will only
+  be available through the read interaction.
+- **FHIR Response to Echo**: A static FHIR JSON body for Inferno to return for all FHIR requests
+  not covered by reads of instances in the **Available Resources** input. In this case,
+  the simulation is a simple echo and Inferno does not check that the response is
+  appropriate for the request made.
 
 ## Current Limitations
 
 This test kit is still in draft form and does not test all of the requirements and features
-described in the SMART App Launch IG for clients. Notably, only the backend services flow
-is tested at this time.
+described in the SMART App Launch IG for clients.
+
+The following sections list known gaps and limitations.
+
+### SMART Scope Checking and Fulfilment
 
-The following sections list other known gaps and limitations.
+These tests do not verify any details about scopes, including that the
+- Requested scopes are conformant, such as that they have a valid format and are consistent
+  between authorization and refresh token requests.
+- Provided **Launch Context** input fullfils the requested data context scopes.
+- Access performed is allowed by the requested scope.
 
 ### SMART Server Simulation Limitations
 
-This test suite contains a simulation of a SMART Backend Services server which is not fully
+This test suite contains a simulation of a SMART server which is not fully
 general and not all conformant clients may be able to interact with it. However, the intention
 is not to prevent systems from passing for making conformant choices that Inferno's simulation
 does not support. One specific example is that the SMART configuration metadata available at
@@ -116,6 +203,6 @@ the [github repository's issues page](https://github.com/inferno-framework/smart
 
 The FHIR server simulation used to support clients in demonstrating their ability to access
 FHIR APIs using access tokens obtained using the SMART flows is very limited. Testers are currently
-able to provide a single static response that will be echoed for any FHIR request made. While
-Inferno will never implement a fully general FHIR server simulation, additional options may be added
-in the future based on community feedback.
+able to provide a list of resources to be read and a single static response that will be echoed for any
+other FHIR request made. While Inferno will never implement a fully general FHIR server simulation,
+additional options, such as may be added in the future based on community feedback.

data/lib/smart_app_launch/endpoints/echoing_fhir_responder_endpoint.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require_relative '../urls'
+require_relative '../tags'
+require_relative 'mock_smart_server'
+
+module SMARTAppLaunch
+  class EchoingFHIRResponderEndpoint < Inferno::DSL::SuiteEndpoint
+    def test_run_identifier
+      MockSMARTServer.issued_token_to_client_id(request.headers['authorization']&.delete_prefix('Bearer '))
+    end
+
+    def make_response
+      return if response.status == 401 # set in update_result (expired token handling there)
+
+      response.content_type = 'application/fhir+json'
+      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.status = 200
+
+      # look for read of provided resources
+      read_response = tester_provided_read_response_body
+      if read_response.present?
+        response.body = read_response.to_json
+        return
+      end
+
+      # If the tester provided a response, echo it
+      # otherwise, operation outcome
+      echo_response = JSON.parse(result.input_json)
+        .find { |input| input['name'].include?('echoed_fhir_response') }
+        &.dig('value')
+      if echo_response.present?
+        response.body = echo_response
+        return
+      end
+      
+      response.status = 400
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(
+          severity: 'fatal', code: 'required',
+          details: FHIR::CodeableConcept.new(text: 'No response provided to echo.')
+        )
+      ).to_json  
+    end
+
+    def update_result
+      if MockSMARTServer.request_has_expired_token?(request)
+        MockSMARTServer.update_response_for_expired_token(response, 'Bearer token')
+        return
+      end
+
+      nil # never update for now
+    end
+
+    def tags
+      [ACCESS_TAG]
+    end
+
+    def tester_provided_read_response_body
+      resource_type = request.params[:one]
+      id = request.params[:two]
+
+      return unless resource_type.present? && id.present?
+      
+      resource_type_class = 
+        begin
+          FHIR.const_get(resource_type)
+        rescue NameError
+          nil
+        end
+      return unless resource_type_class.present?
+
+      resource_bundle = ehr_input_bundle
+      return unless resource_bundle.present?
+
+      find_resource_in_bundle(resource_bundle, resource_type_class, id)
+    end
+
+    def ehr_input_bundle
+      ehr_bundle_input = 
+        JSON.parse(result.input_json).find { |input| input['name'] == 'fhir_read_resources_bundle' }&.dig('value')
+      ehr_bundle = FHIR.from_contents(ehr_bundle_input) if ehr_bundle_input.present?
+      return ehr_bundle if ehr_bundle.is_a?(FHIR::Bundle)
+      
+      nil
+    rescue StandardError
+      nil
+    end
+
+    def find_resource_in_bundle(bundle, resource_type_class, id)
+      bundle.entry&.find do |entry|
+        entry.resource.is_a?(resource_type_class) && entry.resource.id == id
+      end&.resource
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server/authorization_endpoint.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require_relative '../../tags'
+require_relative 'smart_authorization_response_creation'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    class AuthorizationEndpoint < Inferno::DSL::SuiteEndpoint
+      include SMARTAuthorizationResponseCreation
+
+      def test_run_identifier  
+        request.params[:client_id]
+      end
+
+      def make_response
+        make_smart_authorization_response
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [AUTHORIZATION_TAG, AUTHORIZATION_CODE_TAG, SMART_TAG]
+      end
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server/introspection_endpoint.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+require_relative '../../tags'
+require_relative '../mock_smart_server'
+require_relative 'smart_introspection_response_creation'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    class IntrospectionEndpoint < Inferno::DSL::SuiteEndpoint
+      include SMARTIntrospectionResponseCreation
+
+      def test_run_identifier
+        MockSMARTServer.issued_token_to_client_id(request.params[:token])
+      end
+
+      def make_response
+        response.body = make_smart_introspection_response.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 200
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [INTROSPECTION_TAG, SMART_TAG]
+      end
+    end
+  end
+end