smart_app_launch_test_kit 0.6.2 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. checksums.yaml +4 -4
  2. data/config/presets/SMART_RunClientAgainstServer.json.erb +3 -3
  3. data/lib/smart_app_launch/app_redirect_test.rb +3 -0
  4. data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb +1 -0
  5. data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb +11 -0
  6. data/lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb +1 -0
  7. data/lib/smart_app_launch/backend_services_invalid_grant_type_test.rb +1 -0
  8. data/lib/smart_app_launch/client_stu2_2_suite.rb +8 -0
  9. data/lib/smart_app_launch/client_suite/access_alca_interaction_test.rb +5 -0
  10. data/lib/smart_app_launch/client_suite/access_alcs_interaction_test.rb +5 -0
  11. data/lib/smart_app_launch/client_suite/access_alp_interaction_test.rb +4 -0
  12. data/lib/smart_app_launch/client_suite/access_bsca_interaction_test.rb +3 -0
  13. data/lib/smart_app_launch/client_suite/authorization_request_verification_test.rb +11 -0
  14. data/lib/smart_app_launch/client_suite/registration_alca_group.rb +1 -1
  15. data/lib/smart_app_launch/client_suite/registration_alca_verification_test.rb +6 -1
  16. data/lib/smart_app_launch/client_suite/registration_alcs_verification_test.rb +4 -1
  17. data/lib/smart_app_launch/client_suite/registration_alp_verification_test.rb +3 -1
  18. data/lib/smart_app_launch/client_suite/registration_bsca_verification_test.rb +4 -0
  19. data/lib/smart_app_launch/client_suite/token_request_alca_verification_test.rb +15 -0
  20. data/lib/smart_app_launch/client_suite/token_request_alcs_verification_test.rb +6 -0
  21. data/lib/smart_app_launch/client_suite/token_request_alp_verification_test.rb +9 -0
  22. data/lib/smart_app_launch/client_suite/token_request_bsca_verification_test.rb +9 -1
  23. data/lib/smart_app_launch/client_suite/token_use_verification_test.rb +2 -1
  24. data/lib/smart_app_launch/code_received_test.rb +4 -0
  25. data/lib/smart_app_launch/cors_metadata_request_test.rb +2 -0
  26. data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb +2 -0
  27. data/lib/smart_app_launch/cors_token_exchange_test.rb +2 -0
  28. data/lib/smart_app_launch/cors_well_known_endpoint_test.rb +2 -0
  29. data/lib/smart_app_launch/docs/smart_stu2_2_client_suite_description.md +1 -1
  30. data/lib/smart_app_launch/ehr_launch_group.rb +4 -0
  31. data/lib/smart_app_launch/endpoints/mock_smart_server/token_endpoint.rb +2 -2
  32. data/lib/smart_app_launch/endpoints/mock_smart_server.rb +3 -3
  33. data/lib/smart_app_launch/openid_connect_group_stu2_2.rb +1 -0
  34. data/lib/smart_app_launch/openid_decode_id_token_test.rb +2 -1
  35. data/lib/smart_app_launch/openid_fhir_user_claim_test.rb +1 -0
  36. data/lib/smart_app_launch/openid_required_configuration_fields_test.rb +2 -0
  37. data/lib/smart_app_launch/openid_retrieve_configuration_test.rb +1 -1
  38. data/lib/smart_app_launch/openid_retrieve_jwks_test.rb +3 -1
  39. data/lib/smart_app_launch/openid_token_header_test.rb +2 -0
  40. data/lib/smart_app_launch/openid_token_payload_test.rb +2 -0
  41. data/lib/smart_app_launch/requirements/generated/smart_access_brands_requirements_coverage.csv +1 -0
  42. data/lib/smart_app_launch/requirements/generated/smart_client_stu2_2_requirements_coverage.csv +193 -0
  43. data/lib/smart_app_launch/requirements/generated/smart_requirements_coverage.csv +1 -0
  44. data/lib/smart_app_launch/requirements/generated/smart_stu2_2_requirements_coverage.csv +305 -0
  45. data/lib/smart_app_launch/requirements/generated/smart_stu2_requirements_coverage.csv +1 -0
  46. data/lib/smart_app_launch/requirements/hl7.fhir.uv.smart-app-launch_2.0.0_Requirements.xlsx +0 -0
  47. data/lib/smart_app_launch/requirements/hl7.fhir.uv.smart-app-launch_2.2.0_Requirements.xlsx +0 -0
  48. data/lib/smart_app_launch/requirements/smart_app_launch_test_kit_requirements.csv +1017 -0
  49. data/lib/smart_app_launch/smart_access_brands_group.rb +1 -0
  50. data/lib/smart_app_launch/smart_access_brands_retrieve_bundle_test.rb +4 -1
  51. data/lib/smart_app_launch/smart_access_brands_validate_brands_test.rb +2 -0
  52. data/lib/smart_app_launch/smart_access_brands_validate_bundle_test.rb +5 -1
  53. data/lib/smart_app_launch/smart_access_brands_validate_endpoint_urls_test.rb +1 -0
  54. data/lib/smart_app_launch/smart_access_brands_validate_endpoints_test.rb +3 -1
  55. data/lib/smart_app_launch/smart_stu2_2_suite.rb +8 -0
  56. data/lib/smart_app_launch/standalone_launch_group.rb +4 -0
  57. data/lib/smart_app_launch/token_introspection_group_stu2_2.rb +1 -0
  58. data/lib/smart_app_launch/token_introspection_response_group.rb +9 -2
  59. data/lib/smart_app_launch/token_refresh_body_test.rb +6 -0
  60. data/lib/smart_app_launch/token_refresh_stu2_test.rb +2 -1
  61. data/lib/smart_app_launch/token_refresh_test.rb +1 -1
  62. data/lib/smart_app_launch/token_response_body_test_stu2_2.rb +8 -0
  63. data/lib/smart_app_launch/token_response_headers_test.rb +2 -0
  64. data/lib/smart_app_launch/version.rb +2 -2
  65. data/lib/smart_app_launch/well_known_capabilities_stu2_test.rb +9 -1
  66. data/lib/smart_app_launch/well_known_endpoint_test.rb +5 -0
  67. metadata +26 -4
data/lib/smart_app_launch/requirements/generated/smart_client_stu2_2_requirements_coverage.csv ADDED
@@ -0,0 +1,193 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,SMART App Launch STU2.2 Client Short ID(s),SMART App Launch STU2.2 Client Full ID(s)
2
+ hl7.fhir.uv.smart-app-launch_2.2.0,1,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,"Apps SHALL ensure that when protocol steps include transmission of sensitive information (authentication secrets, authorization codes, tokens), transmission is ONLY to authenticated servers, over TLS-secured channels.",SHALL,Client,,,,"",""
3
+ hl7.fhir.uv.smart-app-launch_2.2.0,2,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps SHALL generate an unpredictable `state` parameter for each user session,SHALL,Client,,,,"",""
4
+ hl7.fhir.uv.smart-app-launch_2.2.0,3,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps SHALL... include `state` with all authorization requests,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
5
+ hl7.fhir.uv.smart-app-launch_2.2.0,4,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,App SHALL ... validate the `state` value for any request sent to its redirect URL.,SHALL,Client,,,,"",""
6
+ hl7.fhir.uv.smart-app-launch_2.2.0,5,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,An app SHALL NOT execute untrusted user-supplied inputs as code.,SHALL NOT,Client,,,,"",""
7
+ hl7.fhir.uv.smart-app-launch_2.2.0,6,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,An app SHALL NOT forward values passed back to its redirect URL to any other arbitrary or user-provided URL (a practice known as an “open redirector”).,SHALL NOT,Client,,,,"",""
8
+ hl7.fhir.uv.smart-app-launch_2.2.0,7,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,An app SHALL NOT store bearer tokens in cookies that are transmitted as clear text.,SHALL NOT,Client,,,,"",""
9
+ hl7.fhir.uv.smart-app-launch_2.2.0,8,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps SHOULD persist tokens and other sensitive data in app-specific storage locations only,SHOULD,Client,,,,"",""
10
+ hl7.fhir.uv.smart-app-launch_2.2.0,9,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps... SHOULD NOT persist [tokens and other sensitive data] … in system-wide-discoverable locations.,SHOULD,Client,,,,"",""
11
+ hl7.fhir.uv.smart-app-launch_2.2.0,10,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#support-for-public-and-confidential-apps,"any “secret” key, code, or string that is statically embedded in the app can potentially be extracted by an end-user or attacker. Hence security for these apps cannot depend on secrets embedded at install-time.",SHOULD NOT,Client,,,,"",""
12
+ hl7.fhir.uv.smart-app-launch_2.2.0,11,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#determining-the-appropriate-app-type,"[U]se a `confidential app`[if your app is able to protect a secret]
13
+
14
+ Example: App runs on a trusted server with only server-side access to the secret
15
+ Example: App is a native app that uses additional technology (such as dynamic client registration and universal redirect_uris) to protect the secret",SHOULD,Client,,,,5.01,smart_client_stu2_2-smart_client_access-smart_client_access_alca_interaction
16
+ hl7.fhir.uv.smart-app-launch_2.2.0,12,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#determining-the-appropriate-app-type,"[U]se a `public app`[if your app is not able to protect a secret]
17
+
18
+ Example: App is an HTML5 or JS in-browser app (including single-page applications) that would expose the secret in user space
19
+ Example: App is a native app that can only distribute a secret statically",SHOULD,Client,,,,"5.02, 5.03","smart_client_stu2_2-smart_client_access-smart_client_access_alcs_interaction, smart_client_stu2_2-smart_client_access-smart_client_access_alp_interaction"
20
+ hl7.fhir.uv.smart-app-launch_2.2.0,13,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support,All SMART apps SHALL support Proof Key for Code Exchange [(PKCE)](https://tools.ietf.org/html/rfc7636),SHALL,Client,,,,"5.08, 5.09, 5.10, 5.11","smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification"
21
+ hl7.fhir.uv.smart-app-launch_2.2.0,20,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"at registration time every SMART app SHALL:
22
+
23
+ Register zero or more fixed, fully-specified launch URL with the EHR’s authorization server",SHALL,Client,,,,"1.01, 2.01, 3.01","smart_client_stu2_2-smart_client_registration_alca-smart_client_registration_alca_verification, smart_client_stu2_2-smart_client_registration_alcs-smart_client_registration_alcs_verification, smart_client_stu2_2-smart_client_registration_alp-smart_client_registration_alp_verification"
24
+ hl7.fhir.uv.smart-app-launch_2.2.0,21,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"at registration time every SMART app SHALL: ...
25
+ Register one or more fixed, fully-specified `redirect_uri` s with the EHR’s authorization server.",SHALL,Client,,,,"1.01, 2.01, 3.01","smart_client_stu2_2-smart_client_registration_alca-smart_client_registration_alca_verification, smart_client_stu2_2-smart_client_registration_alcs-smart_client_registration_alcs_verification, smart_client_stu2_2-smart_client_registration_alp-smart_client_registration_alp_verification"
26
+ hl7.fhir.uv.smart-app-launch_2.2.0,22,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"For confidential clients, additional registration-time requirements are defined based on the client authentication method. ... For asymmetric client authentication: a [JSON Web Key Set or JWSK URL](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys) is established",SHALL,Client,,,,"1.01, 4.01","smart_client_stu2_2-smart_client_registration_alca-smart_client_registration_alca_verification, smart_client_stu2_2-smart_client_registration_bsca-smart_client_registration_bsca_verification"
27
+ hl7.fhir.uv.smart-app-launch_2.2.0,23,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"For confidential clients, additional registration-time requirements are defined based on the client authentication method. ...
28
+ For symmetric client authentication: a [client secret](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) is established",SHALL,Client,,,,2.01,smart_client_stu2_2-smart_client_registration_alcs-smart_client_registration_alcs_verification
29
+ hl7.fhir.uv.smart-app-launch_2.2.0,29,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#retrieve-well-knownsmart-configuration,"the app discovers the EHR FHIR server’s SMART configuration metadata, including OAuth `authorization_endpoint` and `token_endpoint` URLs.
30
+ The discovery URL is constructed by appending .well-known/smart-configuration to the FHIR Base URL. The app issues an HTTP GET to the discovery URL with an Accept header supporting application/json.",SHALL,Client,,,,"",""
31
+ hl7.fhir.uv.smart-app-launch_2.2.0,32,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … [the] `response_type` [parameter is] required [and SHALL contain the] fixed value: `code`.,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
32
+ hl7.fhir.uv.smart-app-launch_2.2.0,33,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … [the] `client_id` [parameter is] required [and SHALL contain the] client's identifier [provided during registration].,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
33
+ hl7.fhir.uv.smart-app-launch_2.2.0,34,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code... [the] `redirect_uri`[parameter is] required [and] Must match one of the client's pre-registered redirect URIs,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
34
+ hl7.fhir.uv.smart-app-launch_2.2.0,35,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code … [in the EHR Launch flow, the] `launch`[parameter is required, and] must match the launch value received from the EHR.",SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
35
+ hl7.fhir.uv.smart-app-launch_2.2.0,36,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code … [in the `Standalone Launch` flow, the] `launch` [parameter is] omitted",SHALL,Client,,,,"",""
36
+ hl7.fhir.uv.smart-app-launch_2.2.0,37,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `scope` [parameter is] `required` [and m]ust describe the access that the app needs.,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
37
+ hl7.fhir.uv.smart-app-launch_2.2.0,39,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `state` [parameter is] `required` [and] The parameter SHALL be used for preventing cross-site request forgery or session fixation attacks,SHALL,Client,,,,"",""
38
+ hl7.fhir.uv.smart-app-launch_2.2.0,40,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `state` [parameter is] `required` [and] ... The app SHALL use an unpredictable value for the state parameter with at least 122 bits of entropy (e.g., a properly configured random uuid is suitable).",SHALL,Client,,,,"",""
39
+ hl7.fhir.uv.smart-app-launch_2.2.0,41,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `aud` [parameter is] `required` ... [and SHALL contain the] URL of the EHR resource server from which the app wishes to retrieve FHIR data.
40
+ (Note that in the case of an EHR launch flow, this `aud` value is the same as the launch's `iss` value.)",SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
41
+ hl7.fhir.uv.smart-app-launch_2.2.0,42,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … servers SHALL support the `aud` parameter,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
42
+ hl7.fhir.uv.smart-app-launch_2.2.0,43,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … servers MAY support a `resource` parameter as a synonym for `aud`.,MAY,Client,,,,"",""
43
+ hl7.fhir.uv.smart-app-launch_2.2.0,44,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `code_challenge` [parameter is] `required` ... [and] is generated by the app and used for the code challenge, as specified by [PKCE](https://tools.ietf.org/html/rfc7636).
44
+ See [considerations-for-pkce-support](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support).",SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
45
+ hl7.fhir.uv.smart-app-launch_2.2.0,45,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `code_challenge_method` [parameter is] `required` ... [and Shall include the] Method used for the `code_challenge` parameter.,SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
46
+ hl7.fhir.uv.smart-app-launch_2.2.0,46,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code ... The app SHOULD limit its requested scopes to the minimum necessary (i.e., minimizing the requested data categories and the requested duration of access).",SHOULD,Client,,,,"",""
47
+ hl7.fhir.uv.smart-app-launch_2.2.0,47,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When an app requests an authorization code] If the app needs to authenticate the identity of or retrieve information about the end-user, it should include two OpenID Connect scopes: `openid` and `fhirUser`. When these scopes are requested and the request is granted, the app will receive an id_token along with the access token.",SHALL,Client,,,,"",""
48
+ hl7.fhir.uv.smart-app-launch_2.2.0,50,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,Clients SHALL use either the HTTP GET or the HTTP POST method to send the Authorization Request to the Authorization Server.,SHALL,Client,,,,"",""
49
+ hl7.fhir.uv.smart-app-launch_2.2.0,51,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"If [clients are] using the HTTP GET method [for Authorization Requests], the request parameters are serialized using URI Query String Serialization.",SHALL,Client,,,,"",""
50
+ hl7.fhir.uv.smart-app-launch_2.2.0,52,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"If [clients are] using the HTTP POST method [for Authorization Requests], the request parameters are serialized using Form Serialization and the application/x-www-form-urlencoded content type.",SHALL,Client,,,,"",""
51
+ hl7.fhir.uv.smart-app-launch_2.2.0,60,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When an authorization repsonse is received t]he app SHALL validate the value of the state parameter [sent by the server] upon return to the redirect URL [matches the value the client sent in the authroization request].,SHALL,Client,,,,"",""
52
+ hl7.fhir.uv.smart-app-launch_2.2.0,61,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,"The app… SHALL ensure that the state value [associated with the authorization request and response] is securely tied to the user’s current session (e.g., by relating the state value to a session identifier issued by the app).",SHALL,Client,,,,"",""
53
+ hl7.fhir.uv.smart-app-launch_2.2.0,62,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,After obtaining an authorization code the app trades the code for an access token... [by issusing] an HTTP `POST` to the EHR authorization server’s token endpoint URL using content-type `application/x-www-form-urlencoded` as described in section 4.1.3 of [RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.3).,SHALL,Client,,,,"",""
54
+ hl7.fhir.uv.smart-app-launch_2.2.0,63,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,"For `public apps`, authentication is not required [when making requests to the token endpoint] because a client with no secret cannot prove its identity when it issues a call. (The end-to-end system can still be secure because the client comes from a known, https-protected endpoint specified and enforced by the redirect uri.)",SHALL NOT,Client,,,,"5.03, 5.10","smart_client_stu2_2-smart_client_access-smart_client_access_alp_interaction, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification"
55
+ hl7.fhir.uv.smart-app-launch_2.2.0,64,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,"For `confidential apps`, authentication is required [when making requests to the token endpoint].",SHALL,Client,,,,"5.01, 5.02, 5.08, 5.09","smart_client_stu2_2-smart_client_access-smart_client_access_alca_interaction, smart_client_stu2_2-smart_client_access-smart_client_access_alcs_interaction, smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alcs_verification"
56
+ hl7.fhir.uv.smart-app-launch_2.2.0,65,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,"Confidential clients SHOULD use [Asymmetric Authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html) [for authentication when making requests to the token endpoint] if available,",SHOULD,Client,,,,5.01,smart_client_stu2_2-smart_client_access-smart_client_access_alca_interaction
57
+ hl7.fhir.uv.smart-app-launch_2.2.0,66,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,Confidential clients ... MAY use [Symmetric Authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) [for authentication when making requests to the token endpoint].,MAY,Client,,,,5.02,smart_client_stu2_2-smart_client_access-smart_client_access_alcs_interaction
58
+ hl7.fhir.uv.smart-app-launch_2.2.0,67,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `grant_type`[parameter is] `required` [and SHALL contain the] fixed value: `authorization_code`,SHALL,Client,,,,5.10,smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification
59
+ hl7.fhir.uv.smart-app-launch_2.2.0,68,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `code`[parameter is] `required` [and SHALL contain the authorizaion c]ode that the app received from the authorization server,SHALL,Client,,,,"5.08, 5.09, 5.10","smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification"
60
+ hl7.fhir.uv.smart-app-launch_2.2.0,69,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `redirect_uri`[parameter is] `required`[and SHALL contain the] same redirect_uri used in the initial authorization request,SHALL,Client,,,,"5.08, 5.09, 5.10","smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification"
61
+ hl7.fhir.uv.smart-app-launch_2.2.0,70,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `code_verifier`[parameter is] `required`[and SHALL be] ... used to verify against the `code_challenge` parameter previously provided in the authorize request.,SHALL,Client,,,,"5.08, 5.09, 5.10","smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification"
62
+ hl7.fhir.uv.smart-app-launch_2.2.0,71,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `client_id`[parameter is] required for `public apps`,SHALL,Client,,,,"5.03, 5.10","smart_client_stu2_2-smart_client_access-smart_client_access_alp_interaction, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification"
63
+ hl7.fhir.uv.smart-app-launch_2.2.0,72,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[when an app requests an access token the] `client_id`[parameter is] ...omit[ed] for `confidential apps`,SHALL NOT,Client,,,,"",""
64
+ hl7.fhir.uv.smart-app-launch_2.2.0,90,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"Apps SHOULD store tokens in app-specific storage locations only, and not in system-wide-discoverable locations.",SHOULD,Client,,,,"",""
65
+ hl7.fhir.uv.smart-app-launch_2.2.0,93,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-6,[When] fetch[ing] FHIR Resources… The [Client] app [SHALL} issue a request that includes an `Authorization` header that presents the `access_token` as a “Bearer” token,SHALL,Client,,,,"",""
66
+ hl7.fhir.uv.smart-app-launch_2.2.0,97,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,"[When an app may receives] a FHIR resource that contains a “reference” to a resource hosted on a different resource server … [it] SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft.",SHOULD NOT,Client,,,,"",""
67
+ hl7.fhir.uv.smart-app-launch_2.2.0,98,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,"[When an app may receives] a FHIR resource that contains a “reference” to a resource hosted on a different resource serve … [it] SHOULD either ignore the reference, or initiate a new request for access to that resource.",SHOULD,Client,,,,"",""
68
+ hl7.fhir.uv.smart-app-launch_2.2.0,105,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `grant_type` [parameter is] `required`[and SHALL contain the] Fixed value: `refresh_token`,SHALL,Client,,,,"5.08, 5.09, 5.10, 5.11","smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification"
69
+ hl7.fhir.uv.smart-app-launch_2.2.0,106,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `refresh_token` [parameter is] `required`[and SHALL contain the] The refresh token from a prior authorization response,SHALL,Client,,,,"",""
70
+ hl7.fhir.uv.smart-app-launch_2.2.0,107,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `scope` [parameter is] `optional`[and MAY contain the] scopes of access requested.,MAY,Client,,,,"",""
71
+ hl7.fhir.uv.smart-app-launch_2.2.0,108,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,"[When requesting a new access token using a refresh token the] `scope` [parameter is] present, it must be a strict sub-set of the scopes granted in the original launch (no new permissions can be obtained at refresh time).",SHALL,Client,,,,"",""
72
+ hl7.fhir.uv.smart-app-launch_2.2.0,117,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,"[When receiving a response to a request for a new access token using a refresh token if the] `refresh_token` [parameter is] present, the app should discard any previous refresh_token associated with this launch and replace it with this new value",SHOULD,Client,,,,"",""
73
+ hl7.fhir.uv.smart-app-launch_2.2.0,120,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `c` for `create`[to request the ability to perform] Type level [create](http://hl7.org/fhir/http.html#create)",SHALL,Client,,,,"",""
74
+ hl7.fhir.uv.smart-app-launch_2.2.0,121,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `r` for `read` [to request the ability to perform] Instance level [read](http://hl7.org/fhir/http.html#read), Instance level [vread](http://hl7.org/fhir/http.html#vread), and Instance level [history](http://hl7.org/fhir/http.html#history)",SHALL,Client,,,,"",""
75
+ hl7.fhir.uv.smart-app-launch_2.2.0,122,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `u` for `update`[to request the ability to perform] Instance level [update](http://hl7.org/fhir/http.html#update)] ..., and Instance level [patch](http://hl7.org/fhir/http.html#patch)",SHALL,Client,,,,"",""
76
+ hl7.fhir.uv.smart-app-launch_2.2.0,124,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `d` for `delete` [to request the ability to perform] Type level [delete](http://hl7.org/fhir/http.html#delete)]",SHALL,Client,,,,"",""
77
+ hl7.fhir.uv.smart-app-launch_2.2.0,125,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `s` for `search`[to request the ability to perform] Type level [search](http://hl7.org/fhir/http.html#search), Type level [history](http://hl7.org/fhir/http.html#history), System level [search](http://hl7.org/fhir/http.html#search), and System level [history](http://hl7.org/fhir/http.html#history)",SHALL,Client,,,,"",""
78
+ hl7.fhir.uv.smart-app-launch_2.2.0,131,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scope-equivalence,"Scopes can be combined to represent a union of access… In order to reduce token size, it is recommended that scopes be factored to their shortest form.",SHOULD,Client,,,,"",""
79
+ hl7.fhir.uv.smart-app-launch_2.2.0,132,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#finer-grained-resource-constraints-using-search-parameters,"[To request a scope that applies to a subset of instances of a resource type, clients SHALL] add a query string suffix to existing scopes, starting with `?` and followed by a series of `param=value` items separated by `&`",SHALL,Client,true,,,"",""
80
+ hl7.fhir.uv.smart-app-launch_2.2.0,133,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scope-size-over-the-wire,"When initiating an authorization request, app developers should prefer POST-based authorization requests to GET-based requests, since this avoids URL length limits that might apply to GET-based authorization requests.",SHOULD,Client,,,,"",""
81
+ hl7.fhir.uv.smart-app-launch_2.2.0,135,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhir-resource-scope-syntax,"[T]he scope language is [the following sequence of characters:
82
+ - one of ""patient"", ""user"", or ""system""
83
+ - ""/""
84
+ - either a FHIR resource type or ""*""
85
+ - "".""
86
+ - optional ""c""
87
+ - optional ""r""
88
+ - optional ""u""
89
+ - optional ""d""
90
+ - optional ""s""
91
+ - optional ""?"" followed by at least 1 ""<param>=<value>"" pairs, where <param> is a valid search parameter and <value> is a valid corresponding value, with each pair each separated by ""&"" if there are multiple]",SHALL,Client,,,,"",""
92
+ hl7.fhir.uv.smart-app-launch_2.2.0,137,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,[To request p]atient-specific scopes start [the scope string] with `patient/`,SHALL,Client,,,,"",""
93
+ hl7.fhir.uv.smart-app-launch_2.2.0,141,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#user-level-scopes,[To request u]ser-level scopes start [the scope string] with `user/`.,SHALL,Client,,,,"",""
94
+ hl7.fhir.uv.smart-app-launch_2.2.0,143,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#system-level-scopes,[To request s]ystem-level scopes start [the scope string] with `system/`.,SHALL,Client,,,,"",""
95
+ hl7.fhir.uv.smart-app-launch_2.2.0,146,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,"[To request] Wildcard scopes [the scope string SHALL] contain a wildcard (`*`) for the FHIR resource [e.g., `patient/*.cruds`]",SHALL,Client,,,,"",""
96
+ hl7.fhir.uv.smart-app-launch_2.2.0,147,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,clients should examine the granted scopes by the authorization server and respond accordingly. Failure to do so may lead to situations where the client receives an authorization failure by the FHIR server because it attempted to access FHIR resources beyond the granted scopes.,SHOULD,Client,,,,"",""
97
+ hl7.fhir.uv.smart-app-launch_2.2.0,148,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,clients are encouraged to request only the scopes and permissions they need to function and avoid the use of wildcard scopes purely for the sake of convenience,SHOULD,Client,,,,"",""
98
+ hl7.fhir.uv.smart-app-launch_2.2.0,150,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,To request access to …[context data] an app [SHALL] ask for “launch context” scopes in addition to whatever FHIR Resource access scopes it needs.,SHALL,Client,,,,"",""
99
+ hl7.fhir.uv.smart-app-launch_2.2.0,151,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"To request access to …[context data, the scope string SHALL] begin with `launch`.",SHALL,Client,,,,"",""
100
+ hl7.fhir.uv.smart-app-launch_2.2.0,152,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[When clients n]eed patient context at launch time (FHIR Patient resource)[ they SHALL request the `launch/patient` scope].,SHALL,Client,,,,"",""
101
+ hl7.fhir.uv.smart-app-launch_2.2.0,153,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[When clients n]eed encounter context at launch time (FHIR Encounter resource)[ they SHALL request the `launch/encounter` scope].,SHALL,Client,,,,"",""
102
+ hl7.fhir.uv.smart-app-launch_2.2.0,155,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When specifying resource types [for additional launch contexts], convert the type names to all lowercase (e.g., launch/diagnosticreport)",SHALL,Client,,,,"",""
103
+ hl7.fhir.uv.smart-app-launch_2.2.0,156,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"In situations where the same resource type might be used for more than one purpose (e.g., in a medication reconciliation app, one List of at-home medications and another List of in-hospital medications), the app can [(and SHALL if needed)] solicit [launch] context with a specific role by appending `?role={role}` [to the end of the launch context scope].",SHALL,Client,,,,"",""
104
+ hl7.fhir.uv.smart-app-launch_2.2.0,157,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,When using `?role=` in launch context requests: Each requested scope can include at most one role.,SHOULD,Client,,,,"",""
105
+ hl7.fhir.uv.smart-app-launch_2.2.0,158,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: ... If an app requires multiple roles, it MAY request multiple scopes",MAY,Client,,,,"",""
106
+ hl7.fhir.uv.smart-app-launch_2.2.0,161,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"Apps that launch from the EHR will be passed an explicit URL parameter called `launch`, whose value must associate the app’s authorization request with the current EHR session.",SHALL,Client,,,,"",""
107
+ hl7.fhir.uv.smart-app-launch_2.2.0,162,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The application [that launches from an EHR] could choose to also provide `launch/patient`, `launch/encounter`, or other `launch/` scopes as “hints” regarding which contexts the app would like the EHR to gather.",MAY,Client,,,,"",""
108
+ hl7.fhir.uv.smart-app-launch_2.2.0,166,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#standalone-apps,Standalone apps that launch outside the EHR do not have any EHR context at the outset. These apps must explicitly request EHR context.,SHALL,Client,,,,"",""
109
+ hl7.fhir.uv.smart-app-launch_2.2.0,191,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"The absence of a role property [in a `fhirContext` array object] is semantically equivalent to a role of `""launch""`, indicating to a client [which SHALL interpret it to mean] that the app launch was performed in the context of the referenced resource.",SHALL,Client,,,,"",""
110
+ hl7.fhir.uv.smart-app-launch_2.2.0,193,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-intent,"If a SMART EHR provides a value that the client does not recognize, or does not provide a value, the client app SHOULD display a default application UI context.",SHOULD,Client,,,,"",""
111
+ hl7.fhir.uv.smart-app-launch_2.2.0,195,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,Some apps need to authenticate the end-user. This can be accomplished by requesting the scope `openid`.,MAY,Client,,,,"",""
112
+ hl7.fhir.uv.smart-app-launch_2.2.0,196,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"When the `openid` scope is requested, apps can [(if a FHIR representation of the user is needed, SHALL,)] also request the `fhirUser` scope to obtain a FHIR resource representation of the current user",SHALL,Client,true,,,"",""
113
+ hl7.fhir.uv.smart-app-launch_2.2.0,201,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,This token must be [validated according to the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) [by the client app].,SHALL,Client,,,,"",""
114
+ hl7.fhir.uv.smart-app-launch_2.2.0,202,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To learn more about the user, the app should treat the `fhirUser` claim as the URL of a FHIR resource representing the current user [and SHALL perform a FHIR read interaction to get it].",SHALL,Client,,,,"",""
115
+ hl7.fhir.uv.smart-app-launch_2.2.0,211,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … A SMART app SHALL NOT pass the `auth_time` claim or `max_age` parameter to a server that does not support receiving them.",SHALL NOT,Client,,,,"",""
116
+ hl7.fhir.uv.smart-app-launch_2.2.0,215,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-a-refresh-token,"To request a `refresh_token` that can be used to obtain a new access token after the current access token expires, add [the] `online_request` [scope that requests a refresh token that] … will be usable for as long as the end-user remains online.",SHALL,Client,,,,"",""
117
+ hl7.fhir.uv.smart-app-launch_2.2.0,216,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-a-refresh-token,"To request a `refresh_token` that can be used to obtain a new access token after the current access token expires, add [the] `offline_access`[Scope that requests a refresh token] … that will remain usable for as long as the authorization server and end-user will allow, regardless of whether the end-user is online.",SHALL,Client,,,,"",""
118
+ hl7.fhir.uv.smart-app-launch_2.2.0,218,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#steps-for-using-an-id-token,"[to use and ID token, Apps SHALL]
119
+ 1. Examine the ID token for its “issuer” property
120
+ 2.Perform a `GET {issuer}/.well-known/openid-configuration`
121
+ 3.Fetch the server’s JSON Web Key by following the “jwks_uri” property [from the retrieved `openid-configuration`]
122
+ 4. Validate the token’s signature against the public key [retrieved from the ""jwks_uri"" location in the token's `openid-configuration`]
123
+ 5.Extract the fhirUser claim [from the verified token] and treat it as the URL of a FHIR resource",SHALL,Client,,,,"",""
124
+ hl7.fhir.uv.smart-app-launch_2.2.0,219,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#appendix-uri-representation-of-scopes,"When URI representations are required, the SMART scopes SHALL be prefixed with `http://smarthealthit.org/fhir/scopes/`, so that a `patient/*.r` scope would be `http://smarthealthit.org/fhir/scopes/patient/*.r`",SHALL,Client,,,,"",""
125
+ hl7.fhir.uv.smart-app-launch_2.2.0,220,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#appendix-uri-representation-of-scopes,"To represent OpenID scopes as URIs, the prefix `http://openid.net/specs/openid-connect-core-1_0#` SHALL be used.",SHALL,Client,,,,"",""
126
+ hl7.fhir.uv.smart-app-launch_2.2.0,225,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#register-smart-backend-service-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL register with the server by following the [registration steps described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys).",SHALL,Client,,,,"",""
127
+ hl7.fhir.uv.smart-app-launch_2.2.0,226,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#retrieve-well-knownsmart-configuration,"[T]he app [SHALL discover] the EHR FHIR server’s SMART configuration metadata, including OAuth token endpoint URL",SHALL,Client,,,,"",""
128
+ hl7.fhir.uv.smart-app-launch_2.2.0,227,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request,The app [SHALL issue] an HTTP GET with an `Accept` header supporting `application/json` to retrieve the SMART configuration file [from [base]/.well-known/smart-configuration],SHALL,Client,,,,"",""
129
+ hl7.fhir.uv.smart-app-launch_2.2.0,229,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#obtain-access-token,Use of the client credentials grant type requires that the client SHALL be a “confidential” client capable of protecting its authentication credential.,SHALL,Client,,,,"5.02, 5.04, 5.11","smart_client_stu2_2-smart_client_access-smart_client_access_alcs_interaction, smart_client_stu2_2-smart_client_access-smart_client_access_bsca_interaction, smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification"
130
+ hl7.fhir.uv.smart-app-launch_2.2.0,230,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,"To begin the exchange, the client SHALL use the [Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)](https://tools.ietf.org/html/rfc5246) or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the FHIR authorization server’s token endpoint.",SHALL,Client,,,,"",""
131
+ hl7.fhir.uv.smart-app-launch_2.2.0,232,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,All exchanges described herein between the client and the FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS .,SHALL,Client,,,,"",""
132
+ hl7.fhir.uv.smart-app-launch_2.2.0,233,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,"Before a client can request an access token, it [SHALL] generates a one-time-use authentication JWT [as described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint)",SHALL,Client,,,,"5.01, 5.04, 5.08, 5.11","smart_client_stu2_2-smart_client_access-smart_client_access_alca_interaction, smart_client_stu2_2-smart_client_access-smart_client_access_bsca_interaction, smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification"
133
+ hl7.fhir.uv.smart-app-launch_2.2.0,234,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,"After generating this authentication JWT, the client requests an access token via HTTP `POST` to the FHIR authorization server’s token endpoint URL, using content-type `application/x-www-form-urlencoded`",SHALL,Client,,,,"",""
134
+ hl7.fhir.uv.smart-app-launch_2.2.0,235,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[When requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `scope` [parameter is] `required` [and SHALL contain] … the scope of access requested ... following the [SMART Scopes syntax](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html),SHALL,Client,,,,"5.05, 5.06, 5.07","smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alca_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alcs_verification, smart_client_stu2_2-smart_client_access-smart_client_authorization_request_alp_verification"
135
+ hl7.fhir.uv.smart-app-launch_2.2.0,236,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `grant_type` [parameter is] `required` [and SHALL contain the] … Fixed value: `client_credentials`,SHALL,Client,,,,5.11,smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification
136
+ hl7.fhir.uv.smart-app-launch_2.2.0,237,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `client_assertion_type` [parameter is] `required` [and SHALL contain] … Fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,5.11,smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification
137
+ hl7.fhir.uv.smart-app-launch_2.2.0,238,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `client_assertion` [parameter is] `required` [and SHALL contain] … [the s]igned authentication JWT value,SHALL,Client,,,,5.11,smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification
138
+ hl7.fhir.uv.smart-app-launch_2.2.0,239,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"For Backend Services, requested scopes will be `system/` scopes",SHOULD,Client,,,,"",""
139
+ hl7.fhir.uv.smart-app-launch_2.2.0,242,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"The use of Backend Services with user/ and patient/ scopes is not prohibited, but would require out-of-band coordination to establish context (e.g., to establish which user or patient applies).",MAY,Client,,,,"",""
140
+ hl7.fhir.uv.smart-app-launch_2.2.0,263,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"To establish longer-term access [using backend services given the short-lived duration of access tokens], clients can request new access tokens as needed.",SHOULD,Client,,,,"",""
141
+ hl7.fhir.uv.smart-app-launch_2.2.0,264,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-2,The app [SHALL issue] a request [for FHIR data[ that includes an Authorization header that presents the access_token as a “Bearer” token: `Authorization: Bearer {{access_token}}`,SHALL,Client,,,,"",""
142
+ hl7.fhir.uv.smart-app-launch_2.2.0,267,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,"On occasion, a Backend Service [client] may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server. The Backend Service [client] SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft",SHOULD NOT,Client,,,,"5.11, 5.12","smart_client_stu2_2-smart_client_access-smart_client_token_request_bsca_verification, smart_client_stu2_2-smart_client_access-smart_client_token_use_verification"
143
+ hl7.fhir.uv.smart-app-launch_2.2.0,268,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,"On occasion, a Backend Service may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server… The Backend Service [client] SHOULD either ignore the reference, or initiate a new request for access to that resource.",SHOULD,Client,,,,"",""
144
+ hl7.fhir.uv.smart-app-launch_2.2.0,270,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,Token Introspection is conducted [and clients SHALL make requests] according to [RFC 7662: OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662),SHALL,Client,,,,"",""
145
+ hl7.fhir.uv.smart-app-launch_2.2.0,290,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL generate or obtain an asymmetric key pair",SHALL,Client,,,,"",""
146
+ hl7.fhir.uv.smart-app-launch_2.2.0,291,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL ... register its public key set with that FHIR server’s authorization service (referred to below as the “FHIR authorization server”).",SHALL,Client,,,,"",""
147
+ hl7.fhir.uv.smart-app-launch_2.2.0,292,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"SMART does not require a standards-based registration process, but we encourage FHIR service implementers to consider using the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg)",SHOULD,Client,,,,"",""
148
+ hl7.fhir.uv.smart-app-launch_2.2.0,293,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[Before using the `client-confidential-asymmetric`capability t]he client SHALL register the **public key** that the client will use to authenticate itself to the FHIR authorization server.,SHALL,Client,,,,"1.01, 4.01","smart_client_stu2_2-smart_client_registration_alca-smart_client_registration_alca_verification, smart_client_stu2_2-smart_client_registration_bsca-smart_client_registration_bsca_verification"
149
+ hl7.fhir.uv.smart-app-launch_2.2.0,294,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering a public key for the `client-confidential-asymmetric`capability t]he public key SHALL be conveyed to the FHIR authorization server in a [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) structure presented within a JWK Set, as defined in JSON Web Key Set (JWKS).",SHALL,Client,,,,"1.01, 4.01","smart_client_stu2_2-smart_client_registration_alca-smart_client_registration_alca_verification, smart_client_stu2_2-smart_client_registration_bsca-smart_client_registration_bsca_verification"
150
+ hl7.fhir.uv.smart-app-launch_2.2.0,295,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL protect the associated private key [for the `client-confidential-asymmetric`capability] from unauthorized disclosure and corruption.,SHALL,Client,,,,"",""
151
+ hl7.fhir.uv.smart-app-launch_2.2.0,298,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,clients SHALL choose a server-supported method [for communicating their JWKs] at registration time,SHALL,Client,,,,"",""
152
+ hl7.fhir.uv.smart-app-launch_2.2.0,299,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering their JWKs to a server for use in the `client-confidential-asymmetric`capability`, clients SHOULD send a] URL to JWK Set (strongly preferred).",SHOULD,Client,,,,"",""
153
+ hl7.fhir.uv.smart-app-launch_2.2.0,300,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering their JWKs to a server for use in the `client-confidential-asymmetric`capability`, clients MAY send the] JWK Set directly (strongly discouraged)",MAY,Client,,,,"",""
154
+ hl7.fhir.uv.smart-app-launch_2.2.0,301,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[For the URL to JWK Set method, the value SHALL be] the TLS-protected endpoint where the client’s public JWK Set can be found",SHALL,Client,,,,"",""
155
+ hl7.fhir.uv.smart-app-launch_2.2.0,302,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[For the URL to JWK Set method to register a JWK for use in the `client-confidential-asymmetric`capability`, the value] ... SHALL be accessible via TLS without client authentication or authorization",SHALL,Client,,,,"",""
156
+ hl7.fhir.uv.smart-app-launch_2.2.0,303,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[For the URL to JWK Set method to register a JWK for use in the `client-confidential-asymmetric`capability` t]he client SHOULD return a “Cache-Control” header in its JWKS response,SHOULD,Client,,,,"",""
157
+ hl7.fhir.uv.smart-app-launch_2.2.0,304,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"If a client cannot host the JWK Set at a TLS-protected URL [when registering a JWK for use in the `client-confidential-asymmetric`capability,] it MAY supply the JWK Set directly to the FHIR authorization server at registration time",MAY,Client,,,,"",""
158
+ hl7.fhir.uv.smart-app-launch_2.2.0,307,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL be capable of generating a JSON Web Signature in accordance with [RFC7515](https://tools.ietf.org/html/rfc7515).,SHALL,Client,,,,"",""
159
+ hl7.fhir.uv.smart-app-launch_2.2.0,308,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL support ... `RS384` … for the JSON Web Algorithm (JWA) header parameter as defined in [RFC7518](https://tools.ietf.org/html/rfc7518).,SHALL,Client,,,,"",""
160
+ hl7.fhir.uv.smart-app-launch_2.2.0,309,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL support ... `ES384` for the JSON Web Algorithm (JWA) header parameter as defined in [RFC7518](https://tools.ietf.org/html/rfc7518).,SHALL,Client,,,,"",""
161
+ hl7.fhir.uv.smart-app-launch_2.2.0,312,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,clients ... MAY … use additional algorithms for signature validation [when using the `client-confidential-asymmetric`capability].,MAY,Client,,,,"",""
162
+ hl7.fhir.uv.smart-app-launch_2.2.0,313,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"No matter how a JWK Set is communicated to the FHIR authorization server, each JWK SHALL represent an asymmetric key by including `kty` and `kid` properties, with content conveyed using “bare key” properties (i.e., direct base64 encoding of key material as integer values)",SHALL,Client,,,,"",""
163
+ hl7.fhir.uv.smart-app-launch_2.2.0,314,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"For RSA public keys, each JWK SHALL include `n` and `e` values (modulus and exponent)",SHALL,Client,,,,"",""
164
+ hl7.fhir.uv.smart-app-launch_2.2.0,315,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"For ECDSA public keys, each JWK SHALL include `crv`, `x`, and `y` values (curve, x-coordinate, and y-coordinate, for EC keys)",SHALL,Client,,,,"",""
165
+ hl7.fhir.uv.smart-app-launch_2.2.0,317,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[T]he client SHALL use [their assigned `client_id`] when requesting an access token.,SHALL,Client,,,,5.10,smart_client_stu2_2-smart_client_access-smart_client_token_request_alp_verification
166
+ hl7.fhir.uv.smart-app-launch_2.2.0,318,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint,"the client SHALL use the [Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)](https://tools.ietf.org/html/rfc5246) or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the FHIR authorization server’s token endpoint.",SHALL,Client,,,,"",""
167
+ hl7.fhir.uv.smart-app-launch_2.2.0,319,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"Before a client can request an access token, it SHALL generate a one-time-use JSON Web Token (JWT) that will be used to authenticate the client to the FHIR authorization server.",SHALL,Client,,,,"",""
168
+ hl7.fhir.uv.smart-app-launch_2.2.0,320,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,The authentication JWT … SHALL be signed with the client’s private key (which SHOULD be an `RS384` or `ES384` signature).,SHALL,Client,,,,"",""
169
+ hl7.fhir.uv.smart-app-launch_2.2.0,321,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`alg`[Authentication JWT header value is] `required` [and SHALL contain t]he JWA algorithm (e.g., RS384, ES384) used for signing the authentication JWT.",SHALL,Client,,,,"",""
170
+ hl7.fhir.uv.smart-app-launch_2.2.0,322,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`kid`[Authentication JWT header value is] `required` [and SHALL contain t]he identifier of the key-pair used to sign this JWT [which] SHALL be unique within the client's JWK Set.,SHALL,Client,,,,"",""
171
+ hl7.fhir.uv.smart-app-launch_2.2.0,323,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`typ`[header value is] `required`[with] Fixed value: JWT.,SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
172
+ hl7.fhir.uv.smart-app-launch_2.2.0,324,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`jku`[header value is] `optional` [and contains t]he TLS-protected URL to the JWK Set that contains the public key(s) accessible without authentication or authorization.,MAY,Client,,,,"",""
173
+ hl7.fhir.uv.smart-app-launch_2.2.0,325,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"When [the `jku` Authentication JWT header value is] present, this SHALL match the JWKS URL value that the client supplied to the FHIR authorization server at client registration time.",SHALL,Client,,,,"",""
174
+ hl7.fhir.uv.smart-app-launch_2.2.0,327,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`iss`[claim is] `required`… [and] SHALL [contain the] Issuer of the JWT --the client's `client_id`, as determined during registration with the FHIR authorization server",SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
175
+ hl7.fhir.uv.smart-app-launch_2.2.0,328,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`sub`[claim is] `required`… [and] SHALL [contain] The client's `client_id`, as determined during registration with the FHIR authorization server (note that this is the same as the value for the iss claim)",SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
176
+ hl7.fhir.uv.smart-app-launch_2.2.0,329,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`aud`[claim is] `required`… [and] SHALL [contain] The FHIR authorization server's ""token URL"" (the same URL to which this authentication JWT will be posted)",SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
177
+ hl7.fhir.uv.smart-app-launch_2.2.0,330,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`exp`[claim is] `required`… [and] SHALL [contain the] Expiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC). This time S",SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
178
+ hl7.fhir.uv.smart-app-launch_2.2.0,331,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`exp`[claim] ... SHALL be no more than five minutes in the future.,SHALL,Client,,,,"",""
179
+ hl7.fhir.uv.smart-app-launch_2.2.0,332,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`jti`[claim is] `required`… [and] SHALL [contain a] nonce string value that uniquely identifies this authentication JWT,SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
180
+ hl7.fhir.uv.smart-app-launch_2.2.0,333,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When the client requests an access token] … [the]`client_assertion_type`[parameter is] `required`… [and] SHALL [contain the] Fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
181
+ hl7.fhir.uv.smart-app-launch_2.2.0,334,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When the client requests an access token] … [the]`client_assertion`[parameter is] `required`… [and] SHALL [contain the] Signed authentication JWT value,SHALL,Client,,,,5.08,smart_client_stu2_2-smart_client_access-smart_client_token_request_alca_verification
182
+ hl7.fhir.uv.smart-app-launch_2.2.0,343,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#profile-audience-and-scope,SMART App Launch clients that can maintain a secret but cannot manage asymmetric keypairs [may use the] … SMART’s `client-confidential-symmetric` authentication mechanism. This profile is not intended for SMART Backend Services clients.,MAY,Client,,,,"",""
183
+ hl7.fhir.uv.smart-app-launch_2.2.0,345,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#authentication-using-a-client_secret,"If a client has registered for Client Password authentication (i.e., it possesses a client_secret that is also known to the EHR), the client authenticates by supplying an Authorization header with HTTP Basic authentication, where the username is the app’s client_id and the password is the app’s client_secret.",SHALL,Client,,,,"",""
184
+ hl7.fhir.uv.smart-app-launch_2.2.0,375,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[C]lients MAY omit an `Accept` header [when requesting the `/.well-known/smart-configuration`],MAY,Client,,,,"",""
185
+ hl7.fhir.uv.smart-app-launch_2.2.0,379,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"Clients encountering relative endpoint URLs (e.g., in the context of legacy or non-conformant servers) SHOULD evaluate them relative to the FHIR Server Base URL following [RFC1808](https://datatracker.ietf.org/doc/html/rfc1808#section-4).",SHALL,Client,,,,"",""
186
+ hl7.fhir.uv.smart-app-launch_2.2.0,413,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHOULD provide an `If-None-Match` header in all Brand Bundle requests to avoid re-fetching data that have not changed,SHOULD,Client,,,,"",""
187
+ hl7.fhir.uv.smart-app-launch_2.2.0,414,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHOULD cache Brand Bundle responses by Etag,SHOULD,Client,,,,"",""
188
+ hl7.fhir.uv.smart-app-launch_2.2.0,415,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHALL select FHIR resources linked from the `.well-known/smart-configuration` if they differ from the resources in a vendor-consolidated Brand Bundle,SHALL,Client,,,,"",""
189
+ hl7.fhir.uv.smart-app-launch_2.2.0,416,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#fhir-profiles,"For fine-grained organizational management, apps SHALL select the FHIR resources linked from .well-known/smart-configuration if they differ from the resources in a vendor-consolidated Brand Bundle.",SHALL,Client,,,,"",""
190
+ hl7.fhir.uv.smart-app-launch_2.2.0,420,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,Apps can use a Brand’s Organization.identifier element to merge content published in multiple sources.,MAY,Client,,,,"",""
191
+ hl7.fhir.uv.smart-app-launch_2.2.0,425,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Clients SHOULD cache responses by Etag,SHOULD,Client,,,,"",""
192
+ hl7.fhir.uv.smart-app-launch_2.2.0,426,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Clients SHOULD … provide an `If-None-Match` header in all requests to avoid re-fetching data that have not changed,SHOULD,Client,,,,"",""
193
+ hl7.fhir.uv.smart-app-launch_2.2.0,435,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,Note that the presence of an Endpoint in the Brand Bundle does not provide an implicit authorization to access the Endpoint. Clients that require access to the data provided by the FHIR Endpoints in the Brand Bundle can use SMART Configuration metadata to determine authorization requirements.,MAY,Client,,,,"",""
data/lib/smart_app_launch/requirements/generated/smart_requirements_coverage.csv ADDED
@@ -0,0 +1 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,SMART App Launch STU1 Short ID(s),SMART App Launch STU1 Full ID(s)