smart_app_launch_test_kit 0.6.2 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. checksums.yaml +4 -4
  2. data/config/presets/SMART_RunClientAgainstServer.json.erb +3 -3
  3. data/lib/smart_app_launch/app_redirect_test.rb +3 -0
  4. data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb +1 -0
  5. data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb +11 -0
  6. data/lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb +1 -0
  7. data/lib/smart_app_launch/backend_services_invalid_grant_type_test.rb +1 -0
  8. data/lib/smart_app_launch/client_stu2_2_suite.rb +8 -0
  9. data/lib/smart_app_launch/client_suite/access_alca_interaction_test.rb +5 -0
  10. data/lib/smart_app_launch/client_suite/access_alcs_interaction_test.rb +5 -0
  11. data/lib/smart_app_launch/client_suite/access_alp_interaction_test.rb +4 -0
  12. data/lib/smart_app_launch/client_suite/access_bsca_interaction_test.rb +3 -0
  13. data/lib/smart_app_launch/client_suite/authorization_request_verification_test.rb +11 -0
  14. data/lib/smart_app_launch/client_suite/registration_alca_group.rb +1 -1
  15. data/lib/smart_app_launch/client_suite/registration_alca_verification_test.rb +6 -1
  16. data/lib/smart_app_launch/client_suite/registration_alcs_verification_test.rb +4 -1
  17. data/lib/smart_app_launch/client_suite/registration_alp_verification_test.rb +3 -1
  18. data/lib/smart_app_launch/client_suite/registration_bsca_verification_test.rb +4 -0
  19. data/lib/smart_app_launch/client_suite/token_request_alca_verification_test.rb +15 -0
  20. data/lib/smart_app_launch/client_suite/token_request_alcs_verification_test.rb +6 -0
  21. data/lib/smart_app_launch/client_suite/token_request_alp_verification_test.rb +9 -0
  22. data/lib/smart_app_launch/client_suite/token_request_bsca_verification_test.rb +9 -1
  23. data/lib/smart_app_launch/client_suite/token_use_verification_test.rb +2 -1
  24. data/lib/smart_app_launch/code_received_test.rb +4 -0
  25. data/lib/smart_app_launch/cors_metadata_request_test.rb +2 -0
  26. data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb +2 -0
  27. data/lib/smart_app_launch/cors_token_exchange_test.rb +2 -0
  28. data/lib/smart_app_launch/cors_well_known_endpoint_test.rb +2 -0
  29. data/lib/smart_app_launch/docs/smart_stu2_2_client_suite_description.md +1 -1
  30. data/lib/smart_app_launch/ehr_launch_group.rb +4 -0
  31. data/lib/smart_app_launch/endpoints/mock_smart_server/token_endpoint.rb +2 -2
  32. data/lib/smart_app_launch/endpoints/mock_smart_server.rb +3 -3
  33. data/lib/smart_app_launch/openid_connect_group_stu2_2.rb +1 -0
  34. data/lib/smart_app_launch/openid_decode_id_token_test.rb +2 -1
  35. data/lib/smart_app_launch/openid_fhir_user_claim_test.rb +1 -0
  36. data/lib/smart_app_launch/openid_required_configuration_fields_test.rb +2 -0
  37. data/lib/smart_app_launch/openid_retrieve_configuration_test.rb +1 -1
  38. data/lib/smart_app_launch/openid_retrieve_jwks_test.rb +3 -1
  39. data/lib/smart_app_launch/openid_token_header_test.rb +2 -0
  40. data/lib/smart_app_launch/openid_token_payload_test.rb +2 -0
  41. data/lib/smart_app_launch/requirements/generated/smart_access_brands_requirements_coverage.csv +1 -0
  42. data/lib/smart_app_launch/requirements/generated/smart_client_stu2_2_requirements_coverage.csv +193 -0
  43. data/lib/smart_app_launch/requirements/generated/smart_requirements_coverage.csv +1 -0
  44. data/lib/smart_app_launch/requirements/generated/smart_stu2_2_requirements_coverage.csv +305 -0
  45. data/lib/smart_app_launch/requirements/generated/smart_stu2_requirements_coverage.csv +1 -0
  46. data/lib/smart_app_launch/requirements/hl7.fhir.uv.smart-app-launch_2.0.0_Requirements.xlsx +0 -0
  47. data/lib/smart_app_launch/requirements/hl7.fhir.uv.smart-app-launch_2.2.0_Requirements.xlsx +0 -0
  48. data/lib/smart_app_launch/requirements/smart_app_launch_test_kit_requirements.csv +1017 -0
  49. data/lib/smart_app_launch/smart_access_brands_group.rb +1 -0
  50. data/lib/smart_app_launch/smart_access_brands_retrieve_bundle_test.rb +4 -1
  51. data/lib/smart_app_launch/smart_access_brands_validate_brands_test.rb +2 -0
  52. data/lib/smart_app_launch/smart_access_brands_validate_bundle_test.rb +5 -1
  53. data/lib/smart_app_launch/smart_access_brands_validate_endpoint_urls_test.rb +1 -0
  54. data/lib/smart_app_launch/smart_access_brands_validate_endpoints_test.rb +3 -1
  55. data/lib/smart_app_launch/smart_stu2_2_suite.rb +8 -0
  56. data/lib/smart_app_launch/standalone_launch_group.rb +4 -0
  57. data/lib/smart_app_launch/token_introspection_group_stu2_2.rb +1 -0
  58. data/lib/smart_app_launch/token_introspection_response_group.rb +9 -2
  59. data/lib/smart_app_launch/token_refresh_body_test.rb +6 -0
  60. data/lib/smart_app_launch/token_refresh_stu2_test.rb +2 -1
  61. data/lib/smart_app_launch/token_refresh_test.rb +1 -1
  62. data/lib/smart_app_launch/token_response_body_test_stu2_2.rb +8 -0
  63. data/lib/smart_app_launch/token_response_headers_test.rb +2 -0
  64. data/lib/smart_app_launch/version.rb +2 -2
  65. data/lib/smart_app_launch/well_known_capabilities_stu2_test.rb +9 -1
  66. data/lib/smart_app_launch/well_known_endpoint_test.rb +5 -0
  67. metadata +26 -4
data/lib/smart_app_launch/requirements/generated/smart_stu2_2_requirements_coverage.csv ADDED
@@ -0,0 +1,305 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,SMART App Launch STU2.2 Short ID(s),SMART App Launch STU2.2 Full ID(s)
2
+ hl7.fhir.uv.smart-app-launch_2.2.0,14,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support,SMART servers [supporting the [PKCE](https://tools.ietf.org/html/rfc7636)] SHALL support the `S256` `code_challenge_method`,SHALL,Server,,,,"",""
3
+ hl7.fhir.uv.smart-app-launch_2.2.0,15,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support,SMART servers [supporting the [PKCE](https://tools.ietf.org/html/rfc7636)] … SHALL NOT support the `plain` method.,SHALL NOT,Server,,,,"",""
4
+ hl7.fhir.uv.smart-app-launch_2.2.0,16,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support,"Servers that support purely browser-based apps SHALL enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) as follows: ... For requests from any origin, CORS configuration permits access to the public discovery endpoints (`.well-known/smart-configuration` and `metadata`)",SHALL,Server,,,,"1.1.03, 1.1.04, 2.1.03, 2.1.04, 3.1.03, 3.1.04, 4.1.1.03, 4.1.1.04","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-smart_cors_well_known_endpoint, smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-smart_cors_metadata_request, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-smart_cors_well_known_endpoint, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-smart_cors_metadata_request, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-smart_cors_well_known_endpoint, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-smart_cors_metadata_request, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-smart_cors_well_known_endpoint, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-smart_cors_metadata_request"
5
+ hl7.fhir.uv.smart-app-launch_2.2.0,17,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support,"Servers that support purely browser-based apps SHALL enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) as follows: ... For requests from a client’s registered origin(s), CORS configuration permits access to the token endpoint and to FHIR REST API endpoints",SHALL,Server,,,,"1.2.08, 1.3.08, 2.2.10, 2.3.08, 4.1.2.08","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_cors_token_exchange, smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_cors_openid_fhir_user_claim, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_cors_token_exchange, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_cors_openid_fhir_user_claim, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_cors_token_exchange"
6
+ hl7.fhir.uv.smart-app-launch_2.2.0,18,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#smart-authorization--fhir-access-overview,[In the SMART APP Launch process] the complete URLs of all apps approved for use by users of this EHR [SHALL] ... have been registered with the EHR authorization server.,SHALL,Server,,,,"",""
7
+ hl7.fhir.uv.smart-app-launch_2.2.0,19,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#register-app-with-ehr,"SMART does not specify a standards-based registration process, but we encourage EHR implementers to consider the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591) for an out-of-the-box solution.",MAY,Server,,,,"",""
8
+ hl7.fhir.uv.smart-app-launch_2.2.0,24,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response,The EHR confirms the app’s registration parameters and communicates a `client_id` to the app.,SHALL,Server,,,,"",""
9
+ hl7.fhir.uv.smart-app-launch_2.2.0,30,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-3,The EHR responds with a SMART configuration JSON document as described in the [Conformance](https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html) section.,SHALL,Server,,,,"1.1.01, 1.1.02, 2.1.01, 2.1.02, 3.1.01, 3.1.02, 4.1.1.01, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
10
+ hl7.fhir.uv.smart-app-launch_2.2.0,31,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … the EHR SHALL ensure that the `code_verifier` is present and valid when the code is exchanged for an access token.,SHALL,Server,,,,"",""
11
+ hl7.fhir.uv.smart-app-launch_2.2.0,48,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,Authorization Servers SHALL support the use of the HTTP GET ... at the Authorization Endpoint,SHALL,Server,,,,"1.2.02, 2.2.04, 4.1.2.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_app_redirect_stu2"
12
+ hl7.fhir.uv.smart-app-launch_2.2.0,49,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,Authorization Servers SHALL support the use of the HTTP .. POST ... at the Authorization Endpoint,SHALL,Server,,,,"1.2.02, 2.2.04, 4.1.2.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_app_redirect_stu2"
13
+ hl7.fhir.uv.smart-app-launch_2.2.0,53,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,The EHR decides whether to grant ... access [in response to an Authorization Request]. This decision is communicated to the app when the EHR authorization server returns an authorization code,SHALL,Server,,,,"1.2.03, 2.2.05, 4.1.2.03","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_code_received, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_code_received, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_code_received"
14
+ hl7.fhir.uv.smart-app-launch_2.2.0,54,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,The EHR decides whether to ... deny access [in response to an Authorization Request]. This decision is communicated to the app when the EHR authorization server returns … an eror response,SHALL,Server,,,,"",""
15
+ hl7.fhir.uv.smart-app-launch_2.2.0,56,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When responding to an authorization request] the code is sent when the EHR authorization server causes the browser to navigate to the app’s redirect_uri,SHALL,Server,,,,"1.2.03, 2.2.05, 4.1.2.03","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_code_received, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_code_received, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_code_received"
16
+ hl7.fhir.uv.smart-app-launch_2.2.0,57,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the] `code` [parameter is] required [and SHALL contain the] The authorization code generated by the authorization server.,SHALL,Server,,,,"1.2.02, 1.2.03, 2.2.04, 2.2.05, 4.1.2.02, 4.1.2.03","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_code_received, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_code_received, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_app_redirect_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_code_received"
17
+ hl7.fhir.uv.smart-app-launch_2.2.0,58,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the authorization code in the] `code` [parameter] ... needs to expire shortly after it is issued to mitigate the risk of leaks.,SHOULD,Server,,,,"",""
18
+ hl7.fhir.uv.smart-app-launch_2.2.0,59,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the] `state` [parameter is] required [and SHALL contain t]he exact value received from the client [in parameter of the same name on the authorization request].,SHALL,Server,,,,"",""
19
+ hl7.fhir.uv.smart-app-launch_2.2.0,73,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The EHR authorization server SHALL return a JSON object that includes an access token or a message indicating that the authorization request has been denied.,SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
20
+ hl7.fhir.uv.smart-app-launch_2.2.0,74,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] 'access_token`[parameter is] `required` [and SHALL contain t]he access token issued by the authorization server,SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
21
+ hl7.fhir.uv.smart-app-launch_2.2.0,75,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `token_type`[parameer is] `required` [and SHALL contain the f]ixed value: `Bearer`,SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
22
+ hl7.fhir.uv.smart-app-launch_2.2.0,76,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `expires_in`[parameter is] `recommended`[and SHOULD contain the l]ifetime in seconds of the access token.,SHOULD,Server,,,,"",""
23
+ hl7.fhir.uv.smart-app-launch_2.2.0,77,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization servers autorization token expires] the token SHALL NOT be accepted by the resource server,SHALL,Server,,,,"",""
24
+ hl7.fhir.uv.smart-app-launch_2.2.0,78,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `scope`[parameter is] `required` [and SHALL contain the s]cope of access authorized. Note that this can be different from the scopes requested by the app.,SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
25
+ hl7.fhir.uv.smart-app-launch_2.2.0,79,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `scope`[parameter is] can be different from the scopes requested by the app.,MAY,Server,,,,"",""
26
+ hl7.fhir.uv.smart-app-launch_2.2.0,80,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `id_token`[parameter is] `optional` [and MAY contain a]uthenticated user identity and user details, if requested.",MAY,Server,,,,"",""
27
+ hl7.fhir.uv.smart-app-launch_2.2.0,81,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `refresh_token`[parameter is] `optional` [and MAY contain the t]oken that can be used to obtain a new access token, using the same or a subset of the original authorization grants",MAY,Server,,,,"",""
28
+ hl7.fhir.uv.smart-app-launch_2.2.0,82,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `authorization_details`[parameter is] `optional` [and MAY contain a]dditional details describing where this token can be used, and any per-location context",MAY,Server,,,,"",""
29
+ hl7.fhir.uv.smart-app-launch_2.2.0,83,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request] if the app was launched from within a patient context, parameters to communicate the context values MAY BE included.",MAY,Server,,,,"",""
30
+ hl7.fhir.uv.smart-app-launch_2.2.0,84,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request t]he parameters are included in the entity-body of the HTTP response, as described in section 5.1 of [RFC6749](https://tools.ietf.org/html/rfc6749).",SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
31
+ hl7.fhir.uv.smart-app-launch_2.2.0,85,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The access token is a string of characters as defined in [RFC6749](https://tools.ietf.org/html/rfc6749) and [RFC6750](http://tools.ietf.org/html/rfc6750).,SHALL,Server,,,,"",""
32
+ hl7.fhir.uv.smart-app-launch_2.2.0,86,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The authorization server’s response SHALL include the HTTP “Cache-Control” response header field with a value of “no-store”,SHALL,Server,,,,"1.2.07, 1.4.03, 1.5.03, 2.2.09, 2.4.03, 2.5.03, 4.1.2.07","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_headers, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_response_headers, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_response_headers, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_headers, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_response_headers, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_response_headers, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_headers"
33
+ hl7.fhir.uv.smart-app-launch_2.2.0,87,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The authorization server’s response SHALL include the HTTP ... “Pragma” response header field with a value of “no-cache”,SHALL,Server,,,,"1.2.07, 1.4.03, 1.5.03, 2.2.09, 2.4.03, 2.5.03, 4.1.2.07","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_headers, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_response_headers, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_response_headers, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_headers, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_response_headers, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_response_headers, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_headers"
34
+ hl7.fhir.uv.smart-app-launch_2.2.0,88,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"The EHR authorization server decides what `expires_in` value to assign to an access token ... as defined in section 1.5 of [RFC6749](https://tools.ietf.org/html/rfc6749#page-10), along with the access token.",SHALL,Server,,,,"",""
35
+ hl7.fhir.uv.smart-app-launch_2.2.0,89,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"The EHR authorization server decides ... whether to issue a refresh token, as defined in section 1.5 of [RFC6749](https://tools.ietf.org/html/rfc6749#page-10), along with the access token.",SHALL,Server,,,,"",""
36
+ hl7.fhir.uv.smart-app-launch_2.2.0,91,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,Access tokens SHOULD have a valid lifetime no greater than one hour.,SHOULD,Server,,,,"",""
37
+ hl7.fhir.uv.smart-app-launch_2.2.0,92,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,Confidential clients may be issued longer-lived tokens than public clients.,MAY,Server,,,,"",""
38
+ hl7.fhir.uv.smart-app-launch_2.2.0,94,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,The resource server SHALL validate the access token and ensure that it has not expired,SHALL,Server,,,,"1.3.06, 2.3.06","smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_token_payload, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_token_payload"
39
+ hl7.fhir.uv.smart-app-launch_2.2.0,95,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,The resource server SHALL validate the access token and ensure that … its scope covers the requested resource.,SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
40
+ hl7.fhir.uv.smart-app-launch_2.2.0,96,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,The resource server also validates that the `aud` parameter associated with the authorization [request] ... matches the resource server’s own FHIR endpoint.,SHALL,Server,,,,"1.3.06, 2.3.06","smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_token_payload, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_token_payload"
41
+ hl7.fhir.uv.smart-app-launch_2.2.0,99,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,EHR implementers are also encouraged to consider using the [OAuth 2.0 Token Introspection Protocol](https://tools.ietf.org/html/rfc7662) to provide an introspection endpoint that clients can use to examine the validity and meaning of tokens.,SHOULD,Server,,,,"",""
42
+ hl7.fhir.uv.smart-app-launch_2.2.0,100,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,[The Auth Server SHALL provide a]n app with “online access”... new access tokens as long as the end-user remains online.,SHALL,Server,,,,"",""
43
+ hl7.fhir.uv.smart-app-launch_2.2.0,101,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,[The Auth Server SHALL provide a]pps with “offline access”... new access tokens without the user being interactively engaged.,SHALL,Server,,,,"",""
44
+ hl7.fhir.uv.smart-app-launch_2.2.0,102,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,A server can decide which client types (public or confidential) are eligible for offline access and able to receive a refresh token.,MAY,Server,,,,"",""
45
+ hl7.fhir.uv.smart-app-launch_2.2.0,103,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,A refresh token SHALL be bound to the same `client_id` and SHALL contain the same or a subset of the claims authorized for the access token with which it is associated.,SHALL,Server,,,,"",""
46
+ hl7.fhir.uv.smart-app-launch_2.2.0,104,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,A refresh token ... SHALL contain the same or a subset of the claims authorized for the access token with which it is associated.,SHALL,Server,,,,"",""
47
+ hl7.fhir.uv.smart-app-launch_2.2.0,109,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] a missing [`scope` parameter] value indicates a request for the same scopes granted in the original launch.,SHALL,Server,,,,"1.4.01, 1.5.01, 2.4.01, 2.5.01","smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_refresh_stu2, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_refresh_stu2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_refresh_stu2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_refresh_stu2"
48
+ hl7.fhir.uv.smart-app-launch_2.2.0,110,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `access_token` [parameter is] `required`[and SHALL contain the n]ew access token issued by the authorization server,SHALL,Server,,,,"1.4.02, 1.5.02, 2.4.02, 2.5.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_refresh_body"
49
+ hl7.fhir.uv.smart-app-launch_2.2.0,111,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the]`token_type` [parameter is] `required`[and SHALL contain the] Fixed value: bearer,SHALL,Server,,,,"1.4.02, 1.5.02, 2.4.02, 2.5.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_refresh_body"
50
+ hl7.fhir.uv.smart-app-launch_2.2.0,112,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `expires_in`[parameter is] `required`[and SHALL contain the] The lifetime in seconds of the access token.,SHALL,Server,,,,"1.4.02, 1.5.02, 2.4.02, 2.5.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_refresh_body"
51
+ hl7.fhir.uv.smart-app-launch_2.2.0,113,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter is] `required` [and SHALL contain the] Scope of access authorized,SHALL,Server,,,,"1.4.02, 1.5.02, 2.4.02, 2.5.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_refresh_body"
52
+ hl7.fhir.uv.smart-app-launch_2.2.0,114,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter value] will be the same as the scope of the original access token,SHALL,Server,,,,"1.4.02, 1.5.02, 2.4.02, 2.5.02","smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_standalone_launch-smart_standalone_refresh_with_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_without_scopes-smart_token_refresh_body, smart_stu2_2-smart_full_ehr_launch-smart_ehr_refresh_with_scopes-smart_token_refresh_body"
53
+ hl7.fhir.uv.smart-app-launch_2.2.0,115,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter value] can be different from the scopes requested by the app.,SHALL,Server,,,,"",""
54
+ hl7.fhir.uv.smart-app-launch_2.2.0,116,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `refresh_token` [parameter is] `optional` [and MAY contain the] refresh token issued by the authorization server.,MAY,Server,,,,"",""
55
+ hl7.fhir.uv.smart-app-launch_2.2.0,118,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,"[When responding to a request for a new access token using a refresh token the] if the app was launched from within a patient context, parameters to communicate the context values MAY BE included.",MAY,Server,,,,"",""
56
+ hl7.fhir.uv.smart-app-launch_2.2.0,119,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#smarts-scopes-are-used-to-delegate-access,[When responding to] a client request… of a specific set of access rights; [servers SHALL respect] … underlyinmg system policies and permissions [even if they conflict with granted scopes],SHALL,Server,,,,"",""
57
+ hl7.fhir.uv.smart-app-launch_2.2.0,123,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"Note that some servers allow for an [update operation to create a new instance](http://hl7.org/fhir/http.html#upsert), and this is allowed by the update scope",SHALL,Server,,,,"",""
58
+ hl7.fhir.uv.smart-app-launch_2.2.0,126,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD advertise the `permission-v1` capability in their `.well-known/smart-configuration` discovery document",SHOULD,Server,,,,"",""
59
+ hl7.fhir.uv.smart-app-launch_2.2.0,127,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD … return v1 scopes when v1 scopes are requested and granted",SHOULD,Server,,,,"",""
60
+ hl7.fhir.uv.smart-app-launch_2.2.0,128,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD … process v1 scopes with the following semantics in v2:
61
+ v1 `.read` ⇒ v2 `.rs`
62
+ v1 `.write` ⇒ v2 `.cud`
63
+ v1 `.*` ⇒ v2 `.cruds`",SHOULD,Server,,,,"",""
64
+ hl7.fhir.uv.smart-app-launch_2.2.0,129,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"Scope requests with undefined or out of order interactions MAY be ignored, replaced with server default scopes, or rejected",MAY,Server,,,,"",""
65
+ hl7.fhir.uv.smart-app-launch_2.2.0,130,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#batches-and-transactions,[B]atch and transaction requests should [SHALL] be validated based on the actual requests within them.,SHALL,Server,,,,"",""
66
+ hl7.fhir.uv.smart-app-launch_2.2.0,134,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scope-size-over-the-wire,"[S]ince access tokens are included in HTTP headers, servers should take care to ensure they do not get too large.",SHOULD,Server,,,,"",""
67
+ hl7.fhir.uv.smart-app-launch_2.2.0,136,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,[When granting p]atient-specific scopes [servers promise to] allow [the client to] access to specific data about a single patient. Which patient is not specified here: FHIR Resource scopes are all about *what* and not *who*,SHALL,Server,,,,"",""
68
+ hl7.fhir.uv.smart-app-launch_2.2.0,138,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,"Note that some EHRs may not enable access to all related resources [when responding to data requests with a patient-specific scope] (for example, Practitioners linked to/from Patient-specific resources).",MAY,Server,,,,"",""
69
+ hl7.fhir.uv.smart-app-launch_2.2.0,139,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,"if a FHIR server supports linking one Patient record with another via `Patient.link`, the server documentation SHALL describe its authorization behavior.",SHALL,Server,,,,"",""
70
+ hl7.fhir.uv.smart-app-launch_2.2.0,140,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#user-level-scopes,[When granting u]ser-level scopes [servers promise to] allow [the client] access to specific data that a user can access. Note that this isn’t just data about the user; it’s data available to that user.,SHALL,Server,,,,"",""
71
+ hl7.fhir.uv.smart-app-launch_2.2.0,142,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#system-level-scopes,"[When granting s]ystem-level scopes [servers promise to allow access to] data that a client system is directly authorized to access; these scopes are useful in cases where there is no user in the loop, such as a data monitoring or reporting service.",SHALL,Server,,,,"",""
72
+ hl7.fhir.uv.smart-app-launch_2.2.0,144,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,"[When granting w]ildcard scopes…[servers promise to allow access to] all data for all available FHIR resources, both now and in the future.",SHALL,Server,,,,"",""
73
+ hl7.fhir.uv.smart-app-launch_2.2.0,145,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,[T]he scopes ultimately granted by the authorization server may differ from the scopes requested by the client!,MAY,Server,,,,"",""
74
+ hl7.fhir.uv.smart-app-launch_2.2.0,149,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[Context data scopes tell ther server] what context parameters will [SHALL] be provided in the access token response,SHALL,Server,,,,"",""
75
+ hl7.fhir.uv.smart-app-launch_2.2.0,154,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,Any SMART EHR MAY extend this list [of context scopes] to support additional context [beyond patient and encounter[..,MAY,Server,,,,"",""
76
+ hl7.fhir.uv.smart-app-launch_2.2.0,159,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: … If an EHR receives a request for an unsupported role, it SHOULD return any launch context supported for the supplied resource type.",SHOULD,Server,,,,"",""
77
+ hl7.fhir.uv.smart-app-launch_2.2.0,160,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: … If an EHR receives a request for an unsupported role, … It MAY return alternative roles.",SHOULD,Server,,,,"",""
78
+ hl7.fhir.uv.smart-app-launch_2.2.0,163,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The EHR MAY ignore these hints [regarding which contexts the app would like the EHR to gather] (for example, if the user is in a workflow where these contexts do not exist).",MAY,Server,,,,"",""
79
+ hl7.fhir.uv.smart-app-launch_2.2.0,164,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"If an application requests a FHIR Resource scope which is restricted to a single patient (e.g., patient/*.rs), and the authorization results in the EHR granting that scope, the EHR SHALL establish a patient in context.",SHALL,Server,,,,"",""
80
+ hl7.fhir.uv.smart-app-launch_2.2.0,165,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The EHR MAY refuse authorization requests including `patient/` that do not also include a valid `launch`, or it MAY infer the `launch/patient` scope.",MAY,Server,,,,"",""
81
+ hl7.fhir.uv.smart-app-launch_2.2.0,167,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#standalone-apps,"[when a standalone app requests EHR context] The EHR SHOULD provide the requested context if requested by the following scopes, unless otherwise noted.",SHOULD,Server,,,,"",""
82
+ hl7.fhir.uv.smart-app-launch_2.2.0,168,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"Once an app is authorized, the token response will include any context data the app requested and any (potentially) unsolicited context data the EHR may decide to communicate",SHALL,Server,,,,"",""
83
+ hl7.fhir.uv.smart-app-launch_2.2.0,169,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"Once an app is authorized, the token response will include any … [l]aunch context parameters [and] come alongside the access token… [which SHALL] appear as JSON parameters.",SHALL,Server,,,,"",""
84
+ hl7.fhir.uv.smart-app-launch_2.2.0,170,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"[The] launch context parameter... `patient`... [SHALL contain a s]tring value with a patient id, indicating that the app was launched in the context of FHIR Patient... If the app has any patient-level scopes, they will be scoped to Patient [provided in this parameter].",SHALL,Server,,,,"",""
85
+ hl7.fhir.uv.smart-app-launch_2.2.0,171,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"[The] launch context parameter... `encounter`... [SHALL contain a s]tring value with an encounter id, indicating that the app was launched in the context of FHIR Encounter",SHALL,Server,,,,"",""
86
+ hl7.fhir.uv.smart-app-launch_2.2.0,172,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `fhirContext`... [SHALL contain an a]rray of objects referring to any resource type other than “Patient” or “Encounter”.,SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
87
+ hl7.fhir.uv.smart-app-launch_2.2.0,173,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `need_patient_banner`... [SHALL contain a] boolean value indicating whether the app was launched in a UX context where a patient banner is required (when true) or may not be required (when false). An app receiving a value of false might not need to take up screen real estate displaying a patient banner.,SHALL,Server,,,,"",""
88
+ hl7.fhir.uv.smart-app-launch_2.2.0,174,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `intent`... [SHALL contain a s]tring value describing the intent of the application launch,SHALL,Server,,,,"",""
89
+ hl7.fhir.uv.smart-app-launch_2.2.0,175,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `smart_style_url`... [SHALL contain a s]tring URL where the EHR’s style parameters can be retrieved (for apps that support [styling](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#styling)),SHALL,Server,,,,"",""
90
+ hl7.fhir.uv.smart-app-launch_2.2.0,176,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `tenant`... [SHALL contain a s]tring conveying an opaque identifier for the healthcare organization that is launching the app. This parameter is intended primarily to support EHR Launch scenarios.,SHALL,Server,,,,"",""
91
+ hl7.fhir.uv.smart-app-launch_2.2.0,177,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"{A]ny contextual resource types that were requested by a launch scope will appear in the `fhirContext` array... except ... Patient and Encounter resource types, which will not be deprecated from top-level parameters, and they will not be permitted within the `fhirContex`t array unless they include a `role` other than ""launch"".",SHALL,Server,,,,"",""
92
+ hl7.fhir.uv.smart-app-launch_2.2.0,178,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array SHALL include at least one of `""reference""`, `""canonical""`, or `""identifier""`",SHALL,Server,,,,"1.2.06, 2.2.08, 4.1.2.06","smart_stu2_2-smart_full_standalone_launch-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_full_ehr_launch-smart_ehr_launch_stu2_2-smart_token_response_body_stu2_2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_standalone_launch_stu2_2-smart_token_response_body_stu2_2"
93
+ hl7.fhir.uv.smart-app-launch_2.2.0,179,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""reference""` (string) … [which is the] relative reference to a FHIR resource. Note that there MAY be more than one fhirContext item referencing the same type of resource.",MAY,Server,,,,"",""
94
+ hl7.fhir.uv.smart-app-launch_2.2.0,180,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,Note that there MAY be more than one fhirContext item referencing the same type of resource [using the property `reference`].,MAY,Server,,,,"",""
95
+ hl7.fhir.uv.smart-app-launch_2.2.0,181,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""canonical""` (string) … [which is the] canonical URL for the `fhirContext` item (MAY include a version suffix)",MAY,Server,,,,"",""
96
+ hl7.fhir.uv.smart-app-launch_2.2.0,182,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[The `canonical` property in a `fhirContext` array object] MAY include a version suffix),MAY,Server,,,,"",""
97
+ hl7.fhir.uv.smart-app-launch_2.2.0,183,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""identifier""` (object) … [which is the] FHIR Identifier for the `fhirContext` item",MAY,Server,,,,"",""
98
+ hl7.fhir.uv.smart-app-launch_2.2.0,184,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""type""` (string) … [which is the] FHIR resource type of the `fhirContext` item (RECOMMENDED when `""identifier""` or `""canonical""` is present)",MAY,Server,,,,"",""
99
+ hl7.fhir.uv.smart-app-launch_2.2.0,185,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"[The `type` property in a `fhirContext` array object is] RECOMMENDED when `""identifier""` or `""canonical""` is present)",SHOULD,Server,,,,"",""
100
+ hl7.fhir.uv.smart-app-launch_2.2.0,186,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""role""` (string) … [which is the] URI identifying the role of this `fhirContext` item.",MAY,Server,,,,"",""
101
+ hl7.fhir.uv.smart-app-launch_2.2.0,187,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[The `role` property in a `fhirContext` array object may contain r]elative role URIs ... if [they are] defined in this specification; other roles require the use of absolute URIs,MAY,Server,,,,"",""
102
+ hl7.fhir.uv.smart-app-launch_2.2.0,188,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[O]ther roles [defined outside of this specification] require the use of absolute URIs [when used in the `role` property in a `fhirContext` array object],SHALL,Server,,,,"",""
103
+ hl7.fhir.uv.smart-app-launch_2.2.0,189,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,This [`role`] property MAY be omitted,MAY,Server,,,,"",""
104
+ hl7.fhir.uv.smart-app-launch_2.2.0,190,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,This [`role`] property... SHALL NOT be the empty string.,SHOULD NOT,Server,,,,"",""
105
+ hl7.fhir.uv.smart-app-launch_2.2.0,192,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,Multiple `fhirContext` items MAY have the same role.,MAY,Server,,,,"",""
106
+ hl7.fhir.uv.smart-app-launch_2.2.0,194,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-intent,The meaning of intent values must be negotiated between the app and the EHR.,SHALL,Server,,,,"",""
107
+ hl7.fhir.uv.smart-app-launch_2.2.0,197,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"If the EHR cannot represent the user with a FHIR resource, it cannot support the `fhirUser` scope.",SHALL,Server,,,,"",""
108
+ hl7.fhir.uv.smart-app-launch_2.2.0,198,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [instance returned from the `fhirUser` URL] will be a resource of type Patient, Practitioner, PractitionerRole, RelatedPerson, or Person",SHALL,Server,,,,"1.3.07, 2.3.07","smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_fhir_user_claim, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_fhir_user_claim"
109
+ hl7.fhir.uv.smart-app-launch_2.2.0,199,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Note that [the] `Person` [resource type] is only used if the other resource types do not apply to the current user, for example, the “authorized representative” for >1 patients [would be a Person since RelatedPerson can be associated only with a single Patient].",SHOULD,Server,,,,"",""
110
+ hl7.fhir.uv.smart-app-launch_2.2.0,200,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"When these [identity data] scopes are requested (and the request is granted), the [server SHALL send and the] app will receive an [`id_token`](http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken) that comes alongside the access token.",SHALL,Server,,,,"1.3.01, 2.3.01","smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_decode_id_token, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_decode_id_token"
111
+ hl7.fhir.uv.smart-app-launch_2.2.0,203,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [`fhirUser`] URL MAY be absolute (e.g., https://ehr.example.org/Practitioner/123)",MAY,Server,,,,"",""
112
+ hl7.fhir.uv.smart-app-launch_2.2.0,204,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [`fhirUser`] URL ... MAY be relative to the FHIR server base URL associated with the current authorization request (e.g., Practitioner/123)…. Note that the FHIR server base URL is the same as the URL represented in the aud parameter passed in to the authorization request.",MAY,Server,,,,"",""
113
+ hl7.fhir.uv.smart-app-launch_2.2.0,205,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support the Authorization Code Flow, with the request parameters as defined in [SMART App Launch](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html).",SHALL,Server,,,,"",""
114
+ hl7.fhir.uv.smart-app-launch_2.2.0,206,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … Support is not required for [Authorization Code Flow] parameters that OIDC lists as optional (e.g., `id_token_hint`, `acr_value`), but EHRs are encouraged to review these optional parameters.",MAY,Server,,,,"",""
115
+ hl7.fhir.uv.smart-app-launch_2.2.0,207,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, …The EHR SHALL publish public keys as bare JWK keys",SHALL,Server,,,,"1.3.04, 2.3.04","smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_retrieve_jwks, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_retrieve_jwks"
116
+ hl7.fhir.uv.smart-app-launch_2.2.0,208,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,[If the EHR publishes public keys as bare JWK keys they] MAY also be accompanied by X.509 representations of those keys,MAY,Server,,,,"",""
117
+ hl7.fhir.uv.smart-app-launch_2.2.0,209,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support the inclusion of SMART’s `fhirUser` claim within the `id_token` issued for any requests that grant the `openid` and `fhirUser` scopes.",SHALL,Server,,,,"",""
118
+ hl7.fhir.uv.smart-app-launch_2.2.0,210,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support Signing ID Tokens with RSA SHA-256",SHALL,Server,,,,"1.3.03, 1.3.04, 1.3.05, 2.3.03, 2.3.04, 2.3.05","smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_required_configuration_fields, smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_retrieve_jwks, smart_stu2_2-smart_full_standalone_launch-smart_openid_connect_stu2_2-smart_openid_token_header, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_required_configuration_fields, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_retrieve_jwks, smart_stu2_2-smart_full_ehr_launch-smart_openid_connect_stu2_2-smart_openid_token_header"
119
+ hl7.fhir.uv.smart-app-launch_2.2.0,212,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including … `claims` parameters on the authorization request",MAY,Server,,,,"",""
120
+ hl7.fhir.uv.smart-app-launch_2.2.0,213,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including] … Request Objects on the authorization request",MAY,Server,,,,"",""
121
+ hl7.fhir.uv.smart-app-launch_2.2.0,214,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including] … UserInfo endpoint with claims exposed to clients",MAY,Server,,,,"",""
122
+ hl7.fhir.uv.smart-app-launch_2.2.0,217,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#extensibility,"additional context parameters and scopes … [defined by the server and] used as extensions … [SHOULD use] the following namespace conventions _use a full URI that you control (e.g., http://example.com/scope-name) [or] _use any string starting with `__` (two underscores)",SHOULD,Server,,,,"",""
123
+ hl7.fhir.uv.smart-app-launch_2.2.0,228,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response,Servers [SHALL] respond [to requests to [base]/.well-known/smart-configuration] with a discovery response that meets [discovery requirements described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#discovery-requirements). [from [base]/.well-known/smart-configuration],SHALL,Server,,,,"",""
124
+ hl7.fhir.uv.smart-app-launch_2.2.0,231,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,All exchanges described herein between the client and the FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS .,SHALL,Server,,,,"",""
125
+ hl7.fhir.uv.smart-app-launch_2.2.0,240,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"The client is pre-authorized by the server. In other words, by the time a client initiates an access token request, the server has already associated the client with the authority to access certain data.",SHALL,Server,,,,"",""
126
+ hl7.fhir.uv.smart-app-launch_2.2.0,241,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"The client then includes a set of scopes in the access token request [`scope` parameter], which the server … [SHALL] apply [as] additional access restrictions following the SMART Scopes syntax.",SHALL,Server,,,,"",""
127
+ hl7.fhir.uv.smart-app-launch_2.2.0,243,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that it is not authorized to see (e.g., a client asks for Observation resources but has scopes that only permit access to Patient resources) …a server SHOULD respond with a failure to the initial request.",SHOULD,Server,,,,"",""
128
+ hl7.fhir.uv.smart-app-launch_2.2.0,244,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that the server does not support (e.g., a client asks for Practitioner resources but the server does not support FHIR access to Practitioner data) ... a server SHOULD respond with a failure to the initial request.",SHOULD,Server,,,,"",""
129
+ hl7.fhir.uv.smart-app-launch_2.2.0,245,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that the server supports and that appears consistent with its access scopes – but some additional out-of-band rules/policies/restrictions prevents the client from being authorized to see these data... the server MAY withhold certain results from the response, and MAY indicate to the client that results were withheld by including OperationOutcome information in the “error” array for the response as a partial success.",MAY,Server,,,,"",""
130
+ hl7.fhir.uv.smart-app-launch_2.2.0,246,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a server does not return data that the clien's scopes indicate it has access to, it] MAY indicate to the client that results were withheld by including OperationOutcome information in the “error” array for the response as a partial success.",MAY,Server,,,,"",""
131
+ hl7.fhir.uv.smart-app-launch_2.2.0,247,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"Rules regarding circumstances under which a client is required to obtain and present an access token along with a request are based on risk-management decisions that each FHIR resource service needs to [(SHALL)] make, considering the workflows involved, perceived risks, and the organization’s risk-management policies.",SHALL,Server,,,,"",""
132
+ hl7.fhir.uv.smart-app-launch_2.2.0,248,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,Refresh tokens SHOULD NOT be issued.,SHOULD NOT,Server,,,,"",""
133
+ hl7.fhir.uv.smart-app-launch_2.2.0,249,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#validate-authentication-jws,The FHIR authorization server [SHALL validate] a client’s authentication JWT according to the client-confidential-asymmetric authentication profile … [per the] [JWT validation rules](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification).,SHALL,Server,,,,"",""
134
+ hl7.fhir.uv.smart-app-launch_2.2.0,250,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#evaluate-requested-access,"Once the client has been authenticated, the FHIR authorization server SHALL mediate the request to assure that the scope requested is within the scope pre-authorized to the client.",SHALL,Server,,,,"",""
135
+ hl7.fhir.uv.smart-app-launch_2.2.0,251,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"If an error is encountered during the authorization process, the FHIR authorization server SHALL respond with the appropriate error message defined in [Section 5.2 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#page-45)",SHALL,Server,,,,"3.2.02, 3.2.03","smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_invalid_grant_type, smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_invalid_client_assertion"
136
+ hl7.fhir.uv.smart-app-launch_2.2.0,252,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"If an error is encountered during the authorization process, [t]he FHIR authorization server SHOULD include an `error_uri` or `error_description` as defined in OAuth 2.0.",SHOULD,Server,,,,"",""
137
+ hl7.fhir.uv.smart-app-launch_2.2.0,253,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"If the access token request is valid and authorized, the FHIR authorization server SHALL issue an access token in response.",SHALL,Server,,,,3.2.05,smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_auth_request_success
138
+ hl7.fhir.uv.smart-app-launch_2.2.0,254,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `access_token` [parameter is] `required` [and] SHALL [contain] The access token issued by the FHIR authorization server.,SHALL,Server,,,,3.2.06,smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_auth_response_body
139
+ hl7.fhir.uv.smart-app-launch_2.2.0,255,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `token_type` [parameter is] `required` [and] SHALL [contain] Fixed value: bearer.,SHALL,Server,,,,3.2.06,smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_auth_response_body
140
+ hl7.fhir.uv.smart-app-launch_2.2.0,256,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `expires_in` [parameter is] `required` [and] SHALL [contain] The lifetime in seconds of the access token.,SHALL,Server,,,,3.2.06,smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_auth_response_body
141
+ hl7.fhir.uv.smart-app-launch_2.2.0,257,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"[When responding with an access token t]he recommended value [for the `expires_in` parameter] is 300, for a five-minute token lifetime.",SHOULD,Server,,,,"",""
142
+ hl7.fhir.uv.smart-app-launch_2.2.0,258,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `scope` [parameter is] `required` [and] SHALL [contain s]cope of access authorized.,SHALL,Server,,,,3.2.06,smart_stu2_2-smart_backend_services-backend_services_authorization-smart_backend_services_auth_response_body
143
+ hl7.fhir.uv.smart-app-launch_2.2.0,259,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `scope` [parameter value] can be different from the scopes requested by the app.,SHALL,Server,,,,"",""
144
+ hl7.fhir.uv.smart-app-launch_2.2.0,260,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"to minimize risks associated with token redirection, the scope of each access token SHOULD encompass, and be limited to, the resources requested",SHOULD,Server,,,,"",""
145
+ hl7.fhir.uv.smart-app-launch_2.2.0,261,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token a]ccess tokens issued under this [backed services] profile SHALL be short-lived,SHALL,Server,,,,"",""
146
+ hl7.fhir.uv.smart-app-launch_2.2.0,262,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"[When responding with an access token t]he `expires_in` value SHOULD NOT exceed 300, which represents an expiration-time of five minutes.",SHOULD NOT,Server,,,,"",""
147
+ hl7.fhir.uv.smart-app-launch_2.2.0,265,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,The resource server SHALL validate the access token and ensure that it has not expired,SHALL,Server,,,,"",""
148
+ hl7.fhir.uv.smart-app-launch_2.2.0,266,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,The resource server SHALL validate the access token and ensure … that its scope covers the requested resource,SHALL,Server,,,,"",""
149
+ hl7.fhir.uv.smart-app-launch_2.2.0,269,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,"SMART on FHIR EHRs SHOULD support Token Introspection, which allows a broader ecosystem of resource servers to leverage authorization decisions managed by a single authorization server.",SHOULD,Server,,,,"",""
150
+ hl7.fhir.uv.smart-app-launch_2.2.0,271,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,Token Introspection is conducted [and servers SHALL respond] according to [RFC 7662: OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662),SHALL,Server,,,,"",""
151
+ hl7.fhir.uv.smart-app-launch_2.2.0,272,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,"In the introspection response… the `active` field [is] required by RFC7662 (a boolean indicating whether the access token is active),",SHALL,Server,,,,"",""
152
+ hl7.fhir.uv.smart-app-launch_2.2.0,273,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the `scope` [field a]s included in the original access token response,SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
153
+ hl7.fhir.uv.smart-app-launch_2.2.0,274,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the `client_id`[field a]s included in the original access token response,SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
154
+ hl7.fhir.uv.smart-app-launch_2.2.0,275,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the... `exp`[field] … [will be t]he integer timestamp indicates when the access token expires.,SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
155
+ hl7.fhir.uv.smart-app-launch_2.2.0,276,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the... `exp`[field] … will be consistent the with `expires_in` interval provided in the original access token response.,SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
156
+ hl7.fhir.uv.smart-app-launch_2.2.0,277,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If a launch context parameter defined in [Scopes and Launch Context](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html) (e.g., `patient` or `intent`) was included in the original access token response, the parameter SHALL be included in the token introspection response.",SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
157
+ hl7.fhir.uv.smart-app-launch_2.2.0,278,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the … [`iss`] claims from the ID Token SHALL be included in the Token Introspection response",SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
158
+ hl7.fhir.uv.smart-app-launch_2.2.0,279,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the … [`sub`] claims from the ID Token SHALL be included in the Token Introspection response",SHALL,Server,,,,4.3.01,smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_response_group-Test01
159
+ hl7.fhir.uv.smart-app-launch_2.2.0,280,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the [`fhirsuer`]... claims from the ID Token SHOULD be included in the Token Introspection response",SHOULD,Server,,,,"",""
160
+ hl7.fhir.uv.smart-app-launch_2.2.0,281,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,SMART on FHIR EHRs MAY implement access control protecting the Token Introspection endpoint.,MAY,Server,,,,"",""
161
+ hl7.fhir.uv.smart-app-launch_2.2.0,282,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,"If access control is implemented [on the token introspection endpoint], any client authorized to issue Token Introspection API calls SHALL be permitted to authenticate to the Token Introspection endpoint by providing an appropriately-scoped SMART App or SMART Backend Service bearer token in the Authorization header.",SHALL,Server,,,,"",""
162
+ hl7.fhir.uv.smart-app-launch_2.2.0,283,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,Clients authorized in this way [to acess an access-controlled token introspection endpoint] are [(SHALL be)] able to introspect tokens issued to any client,SHALL,Server,,,,"",""
163
+ hl7.fhir.uv.smart-app-launch_2.2.0,285,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,[A] server [SHALL advertise] its support for SMART Confidential Clients with Asymmetric Keys by including the `client-confidential-asymmetric` capability at is `.well-known/smart-configuration` endpoint;,SHALL,Server,,,,"",""
164
+ hl7.fhir.uv.smart-app-launch_2.2.0,286,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `token_endpoint`,",SHALL,Server,,,,"",""
165
+ hl7.fhir.uv.smart-app-launch_2.2.0,287,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `scopes_supported`,",SHALL,Server,,,,"",""
166
+ hl7.fhir.uv.smart-app-launch_2.2.0,288,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ...`token_endpoint_auth_methods_supported` (with values that include `private_key_jwt`),SHALL,Server,,,,"",""
167
+ hl7.fhir.uv.smart-app-launch_2.2.0,289,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `token_endpoint_auth_signing_alg_values_supported` (with values that include at least one of `RS384`, `ES384`).",SHALL,Server,,,,"",""
168
+ hl7.fhir.uv.smart-app-launch_2.2.0,296,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[When registering clients to use the `client-confidential-asymmetric`capability] FHIR authorization servers SHALL support registration of client JWKs using … URL to JWK set,SHALL,Server,,,,"",""
169
+ hl7.fhir.uv.smart-app-launch_2.2.0,297,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[When registering clients to use the `client-confidential-asymmetric`capability] FHIR authorization servers SHALL support registration of client JWKs using ... JWK Set directly,SHALL,Server,,,,"",""
170
+ hl7.fhir.uv.smart-app-launch_2.2.0,305,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[if Client supplies JWK set directly to the FHIR authorization server during registration for the `client-confidential-asymmetric`capability,] the FHIR authorization server SHALL protect the JWK Set from corruption.",SHALL,Server,,,,"",""
171
+ hl7.fhir.uv.smart-app-launch_2.2.0,306,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[if Client supplies JWK set directly to the FHIR authorization server during registration fro the `client-confidential-asymmetric`capability,] the FHIR authorization server ... SHOULD remind the client to send an update whenever the key set changes.",SHOULD,Server,,,,"",""
172
+ hl7.fhir.uv.smart-app-launch_2.2.0,310,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The FHIR authorization server SHALL be capable of validating signatures with at least one of `RS384` or `ES384`.,SHALL,Server,,,,"",""
173
+ hl7.fhir.uv.smart-app-launch_2.2.0,311,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,servers MAY support … additional algorithms for signature validation [when using the `client-confidential-asymmetric`capability].,MAY,Server,,,,"",""
174
+ hl7.fhir.uv.smart-app-launch_2.2.0,316,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Upon registration, the client SHALL be assigned a `client_id`",SHALL,Server,,,,"",""
175
+ hl7.fhir.uv.smart-app-launch_2.2.0,326,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"When [the `jku` Authentication JWT header value is] absent, the FHIR authorization server SHOULD fall back on the JWK Set URL or the JWK Set supplied at registration time.",SHOULD,Server,,,,"",""
176
+ hl7.fhir.uv.smart-app-launch_2.2.0,335,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,The FHIR authorization server SHALL validate the JWT according to the processing requirements defined in [Section 3 of RFC7523](https://tools.ietf.org/html/rfc7523#section-3) including validation of the signature on the JWT,SHALL,Server,,,,"",""
177
+ hl7.fhir.uv.smart-app-launch_2.2.0,336,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,"The FHIR authorization server SHALL … check that the `jti` value has not been previously encountered for the given `iss` within the maximum allowed authentication JWT lifetime (e.g., 5 minutes). This check prevents replay attacks.",SHALL,Server,,,,"",""
178
+ hl7.fhir.uv.smart-app-launch_2.2.0,337,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,The FHIR authorization server SHALL … ensure that the `client_id` provided is known and matches the JWT’s `iss` claim.,SHALL,Server,,,,"",""
179
+ hl7.fhir.uv.smart-app-launch_2.2.0,338,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,"To resolve a key to verify signatures, a FHIR authorization server SHALL follow this algorithm:
180
+
181
+ 1. If the `jku` header is present, verify that the jku is whitelisted (i.e., that it matches the JWKS URL value supplied at registration time for the specified `client_id`).
182
+
183
+ a. If the jku header is not whitelisted, the signature verification fails.
184
+ b. If the jku header is whitelisted, create a set of potential keys by dereferencing the jku URL. Proceed to step 3.
185
+
186
+ 2. If the `jku` header is absent, create a set of potential key sources consisting of all keys found in the registration-time JWKS or found by dereferencing the registration-time JWK Set URL. Proceed to step 3.
187
+
188
+ 3. Identify a set of candidate keys by filtering the potential keys to identify the single key where the `kid` matches the value supplied in the client's JWT header, and the kty is consistent with the signature algorithm supplied in the client's JWT header (e.g., `RSA` for a JWT using an RSA-based signature, or `EC` for a JWT using an EC-based signature). If no keys match, or more than one key matches, the verification fails.
189
+
190
+ 4. Attempt to verify the JWK using the key identified in step 3.",SHALL,Server,,,,"",""
191
+ hl7.fhir.uv.smart-app-launch_2.2.0,339,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,To retrieve the keys from a JWKS URL ... a FHIR authorization server [SHALL issue] a HTTP GET request for that URL to obtain a JWKS response.,SHALL,Server,,,,"",""
192
+ hl7.fhir.uv.smart-app-launch_2.2.0,340,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,"If an error is encountered during the authentication process, the server SHALL respond with an `invalid_client error` as defined by the [OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#section-5.2).",SHALL,Server,,,,"",""
193
+ hl7.fhir.uv.smart-app-launch_2.2.0,341,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,The FHIR authorization server SHALL NOT cache a JWKS for longer than the client’s cache-control header indicates.,SHALL NOT,Server,,,,"",""
194
+ hl7.fhir.uv.smart-app-launch_2.2.0,342,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,The FHIR authorization server SHOULD cache a client’s JWK Set according to the client’s cache-control header; it doesn’t need to retrieve it anew every time.,SHALL NOT,Server,,,,"",""
195
+ hl7.fhir.uv.smart-app-launch_2.2.0,344,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#profile-audience-and-scope,This [ `client-confidential-symmetric`] profile is not intended for [severs to use with] SMART Backend Services clients.,SHALL NOT,Server,,,,"",""
196
+ hl7.fhir.uv.smart-app-launch_2.2.0,346,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capability-sets,A SMART on FHIR server SHOULD support one or more Capability Sets.,SHOULD,Server,,,,"",""
197
+ hl7.fhir.uv.smart-app-launch_2.2.0,348,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Patient Access for Standalone Apps [Capability Set, a server SHALL support the following capabilities:]
198
+ 1. `launch-standalone`
199
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
200
+ 3. `context-standalone-patient`
201
+ 4. `permission-patient `",SHALL,Server,,,,"",""
202
+ hl7.fhir.uv.smart-app-launch_2.2.0,349,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Patient Access for EHR Launch (i.e. from Portal) [Capability Set, a server SHALL support the following capabilities:]
203
+ 1.` launch-ehr`
204
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
205
+ 3.`context-ehr-patient`
206
+ 4. `permission-patient`",SHALL,Server,,,,"",""
207
+ hl7.fhir.uv.smart-app-launch_2.2.0,350,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Clinician Access for Standalone [Capability Set, a server SHALL support the following capabilities:]
208
+ 1. `launch-standalone`
209
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
210
+ 3. `permission-user`
211
+ 4. `permission-patient `",SHALL,Server,,,,"",""
212
+ hl7.fhir.uv.smart-app-launch_2.2.0,351,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Clinician Access for EHR Launch [Capability Set, a server SHALL support the following capabilities:]
213
+ 1. `launch-ehr`
214
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
215
+ 3. `context-ehr-patient` support
216
+ 4. `context-ehr-encounter` support
217
+ 5. `permission-user
218
+ 6. `permission-patient `",SHALL,Server,,,,"",""
219
+ hl7.fhir.uv.smart-app-launch_2.2.0,352,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `launch-ehr` [capability SHALL provide] support for SMART’s EHR Launch mode.,SHALL,Server,,,,"",""
220
+ hl7.fhir.uv.smart-app-launch_2.2.0,353,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `launch-standalone` [capability SHALL provide] support for SMART’s Standalone Launch mode,SHALL,Server,,,,"",""
221
+ hl7.fhir.uv.smart-app-launch_2.2.0,354,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `authorize-post` [capability SHALL provide] support for POST-based authorization,SHALL,Server,,,,"",""
222
+ hl7.fhir.uv.smart-app-launch_2.2.0,355,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-public` [capability SHALL provide] support for SMART’s public client profile (no client authentication).,SHALL,Server,,,,"",""
223
+ hl7.fhir.uv.smart-app-launch_2.2.0,356,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-confidential-symmetric` [capability SHALL provide] support for SMART’s symmetric confidential client profile (“client secret” authentication). See [Client Authentication: Symmetric](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html),SHALL,Server,,,,"",""
224
+ hl7.fhir.uv.smart-app-launch_2.2.0,357,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-confidential-asymmetric` [capability SHALL provide] support for SMART’s asymmetric confidential client profile (“JWT authentication”). See [Client Authentication: Asymmetric](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).,SHALL,Server,,,,"",""
225
+ hl7.fhir.uv.smart-app-launch_2.2.0,358,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `sso-openid-connect` [capability SHALL provide] support for SMART’s OpenID Connect profile,SHALL,Server,,,,"",""
226
+ hl7.fhir.uv.smart-app-launch_2.2.0,359,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `context-banner` [capability SHALL provide] support for “need patient banner” launch context (conveyed via need_patient_banner token parameter).,SHALL,Server,,,,"",""
227
+ hl7.fhir.uv.smart-app-launch_2.2.0,360,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `context-style` [capability SHALL provide] support for `SMART style URL` launch context (conveyed via smart_style_url token parameter). This capability is deemed experimental.,SHALL,Server,,,,"",""
228
+ hl7.fhir.uv.smart-app-launch_2.2.0,361,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-ehr-patient` [capability SHALL provide] support for patient-level launch context (requested by `launch/patient` scope, conveyed via patient token parameter)",SHALL,Server,,,,"",""
229
+ hl7.fhir.uv.smart-app-launch_2.2.0,362,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-ehr-encounter` [capability SHALL provide] support for encounter-level launch context (requested by `launch/encounter` scope, conveyed via `encounter` token parameter)",SHALL,Server,,,,"",""
230
+ hl7.fhir.uv.smart-app-launch_2.2.0,363,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-standalone-patient` [capability SHALL provide] support for patient-level launch context (requested by `launch/patient` scope, conveyed via` patient` token parameter)",SHALL,Server,,,,"",""
231
+ hl7.fhir.uv.smart-app-launch_2.2.0,364,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-standalone-encounter` [capability SHALL provide] support for encounter-level launch context (requested by `launch/encounter` scope, conveyed via `encounter` token parameter)",SHALL,Server,,,,"",""
232
+ hl7.fhir.uv.smart-app-launch_2.2.0,365,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `permission-offline` [capability SHALL provide] support for “offline” refresh tokens (requested by `offline_access` scope),SHALL,Server,,,,"",""
233
+ hl7.fhir.uv.smart-app-launch_2.2.0,366,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-online` [capability SHALL provide] support for “online” refresh tokens requested during EHR Launch (requested by `online_access` scope). This capability is deemed experimental, providing the input to a scope negotiation that could result in granting an online or offline refresh token (see [Scopes and Launch Context](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html)).",SHALL,Server,,,,"",""
234
+ hl7.fhir.uv.smart-app-launch_2.2.0,367,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-patient` [capability SHALL provide] support for patient-level scopes (e.g., `patient/Observation.rs`)",SHALL,Server,,,,"",""
235
+ hl7.fhir.uv.smart-app-launch_2.2.0,368,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-user` [capability SHALL provide] support for user-level scopes (e.g., `user/Appointment.rs`)",SHALL,Server,,,,"",""
236
+ hl7.fhir.uv.smart-app-launch_2.2.0,369,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-v1` [capability SHALL provide] support for SMARTv1 scope syntax (e.g., patient/Observation.read)",SHALL,Server,,,,"",""
237
+ hl7.fhir.uv.smart-app-launch_2.2.0,370,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-v2` [capability SHALL provide] support for SMARTv2 granular scope syntax (e.g., `patient/Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`)",SHALL,Server,,,,"",""
238
+ hl7.fhir.uv.smart-app-launch_2.2.0,371,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `smart-app-state` [capability SHALL provide] support for managing [SMART App State](https://hl7.org/fhir/smart-app-launch/STU2.2/app-state.html).,SHALL,Server,,,,"",""
239
+ hl7.fhir.uv.smart-app-launch_2.2.0,372,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,FHIR endpoints requiring authorization SHALL serve a JSON document at the location formed by appending `/.well-known/smart-configuration` to their base URL.,SHALL,Server,,,,"1.1.01, 2.1.01, 3.1.01, 4.1.1.01","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_endpoint"
240
+ hl7.fhir.uv.smart-app-launch_2.2.0,373,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"The server SHALL convey the FHIR OAuth authorization endpoints and any optional SMART Capabilities it supports using this “Well-Known Uniform Resource Identifiers (URIs)” JSON document (see [RFC5785](https://datatracker.ietf.org/doc/html/rfc5785)). Contrary to RFC5785 Appendix B.4, the `.well-known` path component may be appended even if the FHIR endpoint already contains a path component",SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
241
+ hl7.fhir.uv.smart-app-launch_2.2.0,374,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"Responses for `/.well-known/smart-configuration` requests SHALL be JSON, regardless of `Accept` headers provided in the request.",SHALL,Server,,,,"1.1.01, 2.1.01, 3.1.01, 4.1.1.01","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_endpoint"
242
+ hl7.fhir.uv.smart-app-launch_2.2.0,376,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] servers MAY ignore any client-supplied Accept headers,MAY,Server,,,,"",""
243
+ hl7.fhir.uv.smart-app-launch_2.2.0,377,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] servers SHALL respond with application/json,SHALL,Server,,,,"1.1.01, 2.1.01, 3.1.01, 4.1.1.01","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_endpoint, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_endpoint"
244
+ hl7.fhir.uv.smart-app-launch_2.2.0,378,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] All endpoint URLs in the response document SHALL be absolute URLs.,SHALL,Server,,,,"",""
245
+ hl7.fhir.uv.smart-app-launch_2.2.0,380,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#response,A JSON document must be returned using the `application/json`mime type.,SHALL,Server,,,,"",""
246
+ hl7.fhir.uv.smart-app-launch_2.2.0,381,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if the server’s capabilities include `sso-openid-connect`[the] ..Metadata`issuer`[is] required ... [and SHALL contain the] String conveying this system’s OpenID Connect Issuer URL,SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
247
+ hl7.fhir.uv.smart-app-launch_2.2.0,382,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if the server’s capabilities include `sso-openid-connect`[the] ...Metadata ...`jwks_uri`[is] required [and Shall contain the] string conveying this system’s JSON Web Key Set URL,SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
248
+ hl7.fhir.uv.smart-app-launch_2.2.0,383,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if server supports the `launch-ehr` or `launch-standalone` capability [the] ...Metadata ...`authorization_endpoint`[is] required … [and Shall contain the] URL to the OAuth2 authorization endpoint,SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
249
+ hl7.fhir.uv.smart-app-launch_2.2.0,384,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`grant_types_supported`[is] required … [and Shall contain the] Array of grant types supported at the token endpoint. The options are “authorization_code” (when SMART App Launch is supported) and “client_credentials” (when SMART Backend Services is supported).,SHALL,Server,,,,"",""
250
+ hl7.fhir.uv.smart-app-launch_2.2.0,385,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`token_endpoint`[is] required … [and Shall contain the] URL to the OAuth2 token endpoint.,SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
251
+ hl7.fhir.uv.smart-app-launch_2.2.0,386,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`token_endpoint_auth_methods_supported`[is] OPTIONAL … [and Shall contain the] array of client authentication methods supported by the token endpoint. The options are “client_secret_post”, “client_secret_basic”, and “private_key_jwt”.",MAY,Server,,,,"",""
252
+ hl7.fhir.uv.smart-app-launch_2.2.0,387,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`user_access_brand_bundle`[is] RECOMMENDED … [and Shall contain the] URL for a Brand Bundle. See User [Access Brands](https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html).,SHOULD,Server,,,,"",""
253
+ hl7.fhir.uv.smart-app-launch_2.2.0,388,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`user_access_brand_identifier`[is] RECOMMENDED … [and Shall contain the] Identifier for the primary entry in a Brand Bundle. See User [Access Brands](https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html).,SHOULD,Server,,,,"",""
254
+ hl7.fhir.uv.smart-app-launch_2.2.0,389,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`scopes_supported`[is] RECOMMENDED … [and Shall contain the] Array of scopes a client may request. See [scopes and launch context]. The server SHALL support all scopes listed here; additional scopes MAY be supported (so clients should not consider this an exhaustive list).,SHOULD,Server,,,,"",""
255
+ hl7.fhir.uv.smart-app-launch_2.2.0,390,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`response_types_supported`[is] RECOMMENDED … [and Shall contain the] URL where an end-user can view which applications currently have access to data and can make adjustments to these access rights.,SHOULD,Server,,,,"",""
256
+ hl7.fhir.uv.smart-app-launch_2.2.0,391,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`introspection_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to a server’s introspection endpoint that can be used to validate a token.,SHOULD,Server,,,,"",""
257
+ hl7.fhir.uv.smart-app-launch_2.2.0,392,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`revocation_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to a server’s revoke endpoint that can be used to revoke a token.,SHOULD,Server,,,,"",""
258
+ hl7.fhir.uv.smart-app-launch_2.2.0,393,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`capabilities`[is] REQUIRED … [and Shall contain the] Array of strings representing SMART capabilities (e.g., `sso-openid-connect` or `launch-standalone`) that the server supports.",SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
259
+ hl7.fhir.uv.smart-app-launch_2.2.0,394,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`code_challenge_methods_supported`[is] REQUIRED … [and Shall contain the] Array of PKCE code challenge methods supported. The `S256` method SHALL be included in this list, and the `plain` method SHALL NOT be included in this list.",SHALL,Server,,,,"1.1.02, 2.1.02, 3.1.02, 4.1.1.02","smart_stu2_2-smart_full_standalone_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_full_ehr_launch-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_backend_services-smart_discovery_stu2_2-well_known_capabilities_stu2, smart_stu2_2-smart_token_introspection_stu2_2-smart_token_introspection_access_token_group_stu2_2-smart_discovery_stu2_2-well_known_capabilities_stu2"
260
+ hl7.fhir.uv.smart-app-launch_2.2.0,395,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization ...that wishes to appear as a branded entity in user-facing apps ... [is] RECOMMENDED to define an Organization identifier where `system` is `urn:ietf:rfc:3986` and `value` is the HTTPS URL for the brand’s primary web presence, omitting any “www.” prefix from the domain and omitting any path component",SHOULD,Server,,,,"",""
261
+ hl7.fhir.uv.smart-app-launch_2.2.0,396,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
262
+ SHALL publish at least a “primary brand” that references each FHIR endpoint in the Brand Bundle",SHALL,Server,,,,"",""
263
+ hl7.fhir.uv.smart-app-launch_2.2.0,397,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
264
+ SHOULD support the publication of a more detailed Brand hierarchy",SHOULD,Server,,,,"",""
265
+ hl7.fhir.uv.smart-app-launch_2.2.0,398,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
266
+ SHALL populate `Bundle.timestamp` to advertise the timestamp of the last change to the contents",SHALL,Server,,,,"",""
267
+ hl7.fhir.uv.smart-app-launch_2.2.0,399,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
268
+ SHOULD populate `Bundle.entry.resource.meta.lastUpdated` with a more detailed timestamp if the system tracks updates per Resource.",SHOULD,Server,,,,"",""
269
+ hl7.fhir.uv.smart-app-launch_2.2.0,400,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle…
270
+ SHALL support Cross-Origin Resource Sharing (CORS) for all GET requests to the artifacts described in this guide.",SHALL,Server,,,,"",""
271
+ hl7.fhir.uv.smart-app-launch_2.2.0,401,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
272
+ SHOULD include a weak `Etag` header in all Brand Bundle HTTP responses",SHOULD,Server,,,,"",""
273
+ hl7.fhir.uv.smart-app-launch_2.2.0,402,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
274
+ SHALL allow Health Data Providers to manage all data elements marked “Must-Support” in the [“User Access Brand”](https://hl7.org/fhir/smart-app-launch/STU2.2/StructureDefinition-user-access-brand.html) and [“User Access Endpoint”](https://hl7.org/fhir/smart-app-launch/STU2.2/StructureDefinition-user-access-endpoint.html) profiles",SHALL,Server,,,,"",""
275
+ hl7.fhir.uv.smart-app-launch_2.2.0,403,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… SHALL support customer-supplied Organization identifiers (`system` and `value`),SHALL,Server,,,,"",""
276
+ hl7.fhir.uv.smart-app-launch_2.2.0,404,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… MAY provide a Data Absent Reason of `asked-declined` or `asked-unknown` in a Brand Bundle,MAY,Server,,,,"",""
277
+ hl7.fhir.uv.smart-app-launch_2.2.0,405,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… SHALL NOT use Data Absent Reasons other than `asked-declined` or `asked-unknown` in a Brand Bundle,SHALL NOT,Server,,,,"",""
278
+ hl7.fhir.uv.smart-app-launch_2.2.0,406,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle. SHOULD include `user_access_brand_bundle` and `user_access_brand_identifier` properties in the SMART configuration JSON respons,SHOULD,Server,,,,"",""
279
+ hl7.fhir.uv.smart-app-launch_2.2.0,407,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any SMART on FHIR server that supports discovery of a User Access Brand Bundle... When populating `user_access_brand_bundle`
280
+ SHOULD link to a Bundle that includes only Brands and Endpoints affiliated with the Health Data Provider responsible for this SMART on FHIR server",SHOULD,Server,,,,"",""
281
+ hl7.fhir.uv.smart-app-launch_2.2.0,408,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_bundle` MAY link to a Bundle with Brands or Endpoints for additional Health Data Providers,MAY,Server,,,,"",""
282
+ hl7.fhir.uv.smart-app-launch_2.2.0,409,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle... When populating `user_access_brand_bundle` SHALL populate `user_access_brand_identifier` in SMART configuration JSON response if the `user_access_brand_bundle` refers to a Bundle with multiple Brands.,SHALL,Server,,,,"",""
283
+ hl7.fhir.uv.smart-app-launch_2.2.0,410,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any SMART on FHIR server that supports discovery of a User Access Brand Bundle...
284
+ When populating `user_access_brand_identifier`SHALL include a` value`",SHALL,Server,,,,"",""
285
+ hl7.fhir.uv.smart-app-launch_2.2.0,411,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_identifier`SHOULD include a system,SHOULD,Server,,,,"",""
286
+ hl7.fhir.uv.smart-app-launch_2.2.0,412,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_identifier`SHALL ensure this identifier matches exactly one `Organization.identifier` in the referenced Brand Bundle,SHALL,Server,,,,"",""
287
+ hl7.fhir.uv.smart-app-launch_2.2.0,417,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Vendors SHALL publish at least a “primary brand” for each endpoint and SHOULD support the publication of a more detailed Brand hierarchy.,SHALL,Server,,,,"",""
288
+ hl7.fhir.uv.smart-app-launch_2.2.0,418,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Brand Bundles SHALL populate `Bundle.timestamp` to advertise the timestamp of the last change to the contents,SHALL,Server,,,,"",""
289
+ hl7.fhir.uv.smart-app-launch_2.2.0,419,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Brand Bundles SHOULD populate `Bundle.entry.resource.meta.lastUpdated` with a more detailed timestamp if the system tracks updates per Resource.,SHALL,Server,,,,"",""
290
+ hl7.fhir.uv.smart-app-launch_2.2.0,421,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,EHRs SHALL support customer-supplied identifiers (`system` and `value`).,SHALL,Server,,,,"",""
291
+ hl7.fhir.uv.smart-app-launch_2.2.0,422,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,"It is RECOMMENDED that each Brand include an identifier where `system` is `urn:ietf:rfc: 3986` (meaning the identifier is a URL) and `value` is the HTTPS URL for the Brand’s primary web presence, omitting any “www.” prefix from the domain and omitting any path component.",SHOULD,Server,,,,"",""
292
+ hl7.fhir.uv.smart-app-launch_2.2.0,423,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#managing-cross-origin-resource-sharing-cors-for-fhir-resources,Publishers SHALL support [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) for all GET requests to the artifacts described in this guide.,SHALL,Server,,,,"",""
293
+ hl7.fhir.uv.smart-app-launch_2.2.0,424,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Publishers SHOULD include a weak `Etag` header in all HTTP responses.,SHOULD,Server,,,,"",""
294
+ hl7.fhir.uv.smart-app-launch_2.2.0,427,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,FHIR servers supporting this [User-access Brands and Endpoints] IG SHOULD include the… `user_access_brand_bundle` property [containing the] URL of a Brand Bundle… in the SMART configuration JSON response,SHOULD,Server,,,,"",""
295
+ hl7.fhir.uv.smart-app-launch_2.2.0,428,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,FHIR servers supporting this [User-access Brands and Endpoints] IG SHOULD include the… `user_access_brand_identifier` property [containing the] FHIR Identifier for this server’s primary Brand within the Bundle… in the SMART configuration JSON response,SHOULD,Server,,,,"",""
296
+ hl7.fhir.uv.smart-app-launch_2.2.0,429,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,Publishers SHALL populate this [`user_access_brand_identifier`] property if the referenced Brand Bundle includes more than one Brand.,SHOULD,Server,,,,"",""
297
+ hl7.fhir.uv.smart-app-launch_2.2.0,430,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"When present, this [`user_access_brand_identifier`] identifier SHALL consist of a value",SHALL,Server,,,,"",""
298
+ hl7.fhir.uv.smart-app-launch_2.2.0,431,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"When present, this [`user_access_brand_identifier`] identifier … SHOULD have a system.",SHALL,Server,,,,"",""
299
+ hl7.fhir.uv.smart-app-launch_2.2.0,432,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,The Brand Bundle SHALL include exactly one Brand with an Organization.identifier that matches the primary Brand identifier from SMART configuration JSON.,SHALL,Server,,,,"",""
300
+ hl7.fhir.uv.smart-app-launch_2.2.0,433,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,The Brand Bundle SHOULD include only the Brands and Endpoints associated with the SMART on FHIR server that links to the Bundle.,SHOULD,Server,,,,"",""
301
+ hl7.fhir.uv.smart-app-launch_2.2.0,434,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"the Brand Bundle MAY have additional Brands or Endpoints (e.g., supporting a publication pattern where endpoints from a given vendor might point to a comprehensive, centralized vendor-managed list).",MAY,Server,,,,"",""
302
+ hl7.fhir.uv.smart-app-launch_2.2.0,436,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#must-support-definition-ms-and-data-absent-reasons,User Access Brand profile elements labeled as “must support” mean publishers must provide a way for Brands to populate the value,SHALL,Server,,,,"",""
303
+ hl7.fhir.uv.smart-app-launch_2.2.0,437,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#must-support-definition-ms-and-data-absent-reasons,"If the EHR has asked, but a Brand administrator has not supplied a value, the EHR MAY provide a [Data Absent Reason](http://hl7.org/fhir/StructureDefinition/data-absent-reason) of `asked-declined` or `asked-unknown`. The EHR SHALL NOT use other Data Absent Reasons.",MAY,Server,,,,"",""
304
+ hl7.fhir.uv.smart-app-launch_2.2.0,438,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`registration_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to the OAuth2 dynamic registration endpoint for this FHIR server.,SHOULD,Server,,,,"",""
305
+ hl7.fhir.uv.smart-app-launch_2.2.0,439,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`associated_endpoints`[is] RECOMMENDED … [and Shall contain an a]rray of objects for endpoints that share the same authorization mechanism as this FHIR endpoint, each with a “url” and “capabilities” array.",SHOULD,Server,,,,"",""
data/lib/smart_app_launch/requirements/generated/smart_stu2_requirements_coverage.csv ADDED
@@ -0,0 +1 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,SMART App Launch STU2 Short ID(s),SMART App Launch STU2 Full ID(s)