smart_app_launch_test_kit 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99071ac48c50bc9184c429d8ac6d6a82c257a62b543b0300ffce76bb5428cd3e
-  data.tar.gz: 96ab8b622c5bcdbb803f38bb3fac3b954e09ed509ca50eb498fcb33a6f8a50a5
+  metadata.gz: 97f3e4dca10ecb9dfe4aa30802d90f4272dd32ffd10715fa7b3a0855a04b5c8d
+  data.tar.gz: 016a700551ef524e7bdc7f8871beb03f7297dc3cba39e5b4b53349b22f22ed53
 SHA512:
-  metadata.gz: 5ecbf51ed63307f358311b3e14b63827a1653a0697f79b3d85333577b72109eda60721cdf1a26acda174a0099df2ac3f710bb4371429789dab51744a23375915
-  data.tar.gz: d79ef7288453f232d1b4365dc271cabcc84436e94c8c5c0a02b7554521b16f05c0291eda15093a118fc8aa909577043ce5bb0ef0919c97d6abde81dcb6195bd5
+  metadata.gz: 519d2bb8c5bde6a7c5c28f04ec17bfdcff37c7270b6216707a05db4b04c94269d244c6a1888dd97a0c25c5a50764d4969a08c2774dcb636db7fd274301184427
+  data.tar.gz: eda1f5484f72de3a82c34eb1d0424a2b10a327baeb93d6e6df8f94be7a7e3ef378e5e6510378f62e7d9387e56424b42b52f4524fc557302d3a5ddab0654c782e

data/lib/smart_app_launch/app_redirect_test.rb

@@ -126,6 +126,8 @@ module SMARTAppLaunch
         oauth2_params
       )
 
+      info("Inferno redirecting browser to #{authorization_url}.")
+
       wait(
         identifier: state,
         message: wait_message(authorization_url)

data/lib/smart_app_launch/client_assertion_builder.rb

@@ -0,0 +1,63 @@
+require 'jwt'
+
+require_relative 'jwks'
+
+module SMARTAppLaunch
+  class ClientAssertionBuilder
+    def self.build(...)
+      new(...).client_assertion
+    end
+
+    attr_reader :aud,
+                :client_assertion_type,
+                :content_type,
+                :client_auth_encryption_method,
+                :exp,
+                :grant_type,
+                :iss,
+                :jti,
+                :sub
+
+    def initialize(
+      client_auth_encryption_method:,
+      iss:,
+      sub:,
+      aud:,
+      exp: 5.minutes.from_now.to_i,
+      jti: SecureRandom.hex(32)
+    )
+      @client_auth_encryption_method = client_auth_encryption_method
+      @iss = iss
+      @sub = sub
+      @aud = aud
+      @content_type = content_type
+      @grant_type = grant_type
+      @client_assertion_type = client_assertion_type
+      @exp = exp
+      @jti = jti
+    end
+
+    def private_key
+      @private_key ||=
+        JWKS.jwks
+          .find { |key| key[:key_ops]&.include?('sign') && key[:alg] == client_auth_encryption_method }
+    end
+
+    def jwt_payload
+      { iss:, sub:, aud:, exp:, jti: }.compact
+    end
+
+    def kid
+      private_key.kid
+    end
+
+    def signing_key
+      private_key.signing_key
+    end
+
+    def client_assertion
+      @client_assertion ||=
+        JWT.encode jwt_payload, signing_key, client_auth_encryption_method, { alg: client_auth_encryption_method, kid:, typ: 'JWT' }
+    end
+  end
+end

data/lib/smart_app_launch/ehr_launch_group.rb

@@ -48,7 +48,8 @@ module SMARTAppLaunch
         client_secret: {
           name: :ehr_client_secret,
           title: 'EHR Launch Client Secret',
-          description: 'Client Secret provided during registration of Inferno as an EHR launch application'
+          description: 'Client Secret provided during registration of Inferno as an EHR launch application. ' \
+                       'Only for clients using confidential symmetric authentication.'
         },
         requested_scopes: {
           name: :ehr_requested_scopes,

data/lib/smart_app_launch/ehr_launch_group_stu2.rb

@@ -1,5 +1,6 @@
 require_relative 'app_redirect_test_stu2'
 require_relative 'ehr_launch_group'
+require_relative 'token_exchange_stu2_test'
 
 module SMARTAppLaunch
   class EHRLaunchGroupSTU2 < EHRLaunchGroup
@@ -52,5 +53,12 @@ module SMARTAppLaunch
 
     redirect_index = children.find_index { |child| child.id.to_s.end_with? 'app_redirect' }
     children[redirect_index] = children.pop
+
+    test from: :smart_token_exchange_stu2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }
+    children[token_exchange_index] = children.pop
+
+    children[token_exchange_index].id(:smart_token_exchange)
   end
 end

data/lib/smart_app_launch/jwks.rb

@@ -0,0 +1,27 @@
+require 'jwt'
+
+module SMARTAppLaunch
+  class JWKS
+    class << self
+      def jwks_json
+        @jwks_json ||=
+          JSON.pretty_generate(
+            { keys: jwks.export[:keys].select { |key| key[:key_ops]&.include?('verify') } }
+          )
+      end
+
+      def default_jwks_path
+        @default_jwks_path ||= File.join(__dir__, 'smart_jwks.json')
+      end
+
+      def jwks_path
+        @jwks_path ||=
+          ENV.fetch('SMART_JWKS_PATH', default_jwks_path)
+      end
+
+      def jwks
+        @jwks ||= JWT::JWK::Set.new(JSON.parse(File.read(jwks_path)))
+      end
+    end
+  end
+end

data/lib/smart_app_launch/smart_jwks.json

@@ -0,0 +1,58 @@
+{
+	"keys": 
+	[{
+		"kty": "EC",
+		"crv": "P-384",
+		"x": "JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C",
+		"y": "bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw",
+		"use": "sig",
+		"key_ops": [
+			"verify"
+		],
+		"ext": true,
+		"kid": "4b49a739d1eb115b3225f4cf9beb6d1b",
+		"alg": "ES384"
+	},
+	{
+		"kty": "EC",
+		"crv": "P-384",
+		"d": "kDkn55p7gryKk2tj6z2ij7ExUnhi0ngxXosvqa73y7epwgthFqaJwApmiXXU2yhK",
+		"x": "JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C",
+		"y": "bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw",
+		"key_ops": [
+			"sign"
+		],
+		"ext": true,
+		"kid": "4b49a739d1eb115b3225f4cf9beb6d1b",
+		"alg": "ES384"
+	},
+	{
+		"kty": "RSA",
+		"alg": "RS384",
+		"n": "vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw",
+		"e": "AQAB",
+		"use": "sig",
+		"key_ops": [
+			"verify"
+		],
+		"ext": true,
+		"kid": "b41528b6f37a9500edb8a905a595bdd7"
+	},
+	{
+		"kty": "RSA",
+		"alg": "RS384",
+		"n": "vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw",
+		"e": "AQAB",
+		"d": "rriV9GYimi5by7TOW4xNh6_gYBHVRDBsft2OFF8qapdVHt2GNuRDDxc_B6ga6TY2Enh2MLKLTr1dD3W4FIdTCJiMerrorp07FJS7nJEMgWQDxrfgkX4_EqrhW42L5d4vypYnRXEEW6u4gzkx5uFOkdvJBIK7CsIdSaBFYhochnynNgvbKWasi4rl2hayEH8tdf3B7Z6OIH9alspBTaq3j_zJt_KkrpYEzIUb4UgALB5NTWn5YKr0Avk_asOg8YfjViQwO9ASGaWjQeJ2Rx8OEQwBMQHSDMCSWNiWmYOu9PcwSZFc1vLxqzyIM8QrQSJHCCMo_wGYgke_r0CLeONHEQ",
+		"p": "5hH_QApWGeobRi1n7XbMfJYohB8K3JDPa0MspfplHpJ-17JiGG2sNoBdBcpaPRf9OX48P8VqO0qrSSRAk-I-uO6OO9BHbIukXJILqnY2JmurYzbcYbt5FVbknlHRJojkF6-7sFBazpueUlOnXCw7X7Z_SkfNE4QX5Ejm2Zm5mek",
+		"q": "06bZz7c7K9s1-aEZsxYnLJ9eTpKlt1tIBDA_LwIh5W3w259pes2kUtimbnkyOf-V2ZIERsFCh5s-S9IOEMvAIa6M5j9GW1ILNT7AcHIUfcyFcH-FF8BU_KJdRP5PXnIXFdYcylvsdoIdchy1AaUIzyiKRCU3HBYI75hez0l_F2c",
+		"dp": "h_sVIXW6hCCRND48EedIX06k7conMkxIu_39ErDXOWWeoMAnKIcR5TijQnviL__QxD1vQMXezuKIMHfDz2RGbClbWdD1lhtG7wvG515tDPJQXxia0wzqOQmdoFF9S8hXAAT26vPjaAAkaEZXQaxG_4Au5elgNWu6b0wDXZN1Vpk",
+		"dq": "GqS0YpuUTU8JGmWXUJ4HTGy7eHSpe8134V8ZdRd1oOYYHe2RX64nc25mdR24nuh3uq3Q7_9AGsYGL5E_yAl-JD9O6WUpvDE1y_wcSYty3Os0GRdUb8r8Z9kgmKDS6Pa_xTXw5eBwgfKbNlQ6zPwzgbB-x1lP-K8lbNPni3ybDR0",
+		"qi": "cqQfoi0sM5Su8ZOhznmdWrDIQB28H6fBKiabgaIKkbWZV4e0nwFvLquHjPOvv4Ao8iEGU5dyhvg0n5BKYPi-4mp6M6OA1sy0NrTr7EsKSYGyu2pBq9rw4oAYTM2LXKg6K-awgUUlkc451IwxHBAe15PWCBM3kvLQeijNid0Vz5I",
+		"key_ops": [
+			"sign"
+		],
+		"ext": true,
+		"kid": "b41528b6f37a9500edb8a905a595bdd7"
+	}]
+}

data/lib/smart_app_launch/smart_stu1_suite.rb

@@ -1,5 +1,6 @@
 require 'tls_test_kit'
 
+require_relative 'jwks'
 require_relative 'version'
 require_relative 'discovery_stu1_group'
 require_relative 'standalone_launch_group'
@@ -21,15 +22,39 @@ module SMARTAppLaunch
       request.query_parameters['state']
     end
 
+    route(
+      :get,
+      '/.well-known/jwks.json',
+      ->(_env) { [200, { 'Content-Type' => 'application/json' }, [JWKS.jwks_json]] }
+    )
+
     config options: {
       redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect",
       launch_uri: "#{Inferno::Application['base_url']}/custom/smart/launch"
     }
 
+    description <<~DESCRIPTION
+      The SMART App Launch Test Suite verifies that systems correctly implement 
+      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/1.0.0/) 
+      for providing authorization and/or authentication services to client 
+      applications accessing HL7® FHIR® APIs. To get started, please first register 
+      the Inferno client as a SMART App with the following information:
+
+      * SMART Launch URI: `#{config.options[:launch_uri]}`
+      * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+    DESCRIPTION
+
     group do
       title 'Standalone Launch'
       id :smart_full_standalone_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery
@@ -92,6 +117,14 @@ module SMARTAppLaunch
       title 'EHR Launch'
       id :smart_full_ehr_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * SMART Launch URI: `#{config.options[:launch_uri]}`
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery

data/lib/smart_app_launch/smart_stu2_suite.rb

@@ -1,5 +1,6 @@
 require 'tls_test_kit'
 
+require_relative 'jwks'
 require_relative 'version'
 require_relative 'discovery_stu2_group'
 require_relative 'standalone_launch_group_stu2'
@@ -21,6 +22,12 @@ module SMARTAppLaunch
       request.query_parameters['state']
     end
 
+    route(
+      :get,
+      '/.well-known/jwks.json',
+      ->(_env) { [200, { 'Content-Type' => 'application/json' }, [JWKS.jwks_json]] }
+    )
+
     @post_auth_page = File.read(File.join(__dir__, 'post_auth.html'))
     post_auth_handler = proc { [200, {}, [@post_auth_page]] }
 
@@ -32,10 +39,38 @@ module SMARTAppLaunch
       post_authorization_uri: "#{Inferno::Application['base_url']}/custom/smart_stu2/post_auth"
     }
 
+    description <<~DESCRIPTION
+      The SMART App Launch Test Suite verifies that systems correctly implement 
+      the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2/) 
+      for providing authorization and/or authentication services to client 
+      applications accessing HL7® FHIR® APIs. To get started, please first register 
+      the Inferno client as a SMART App with the following information:
+
+      * SMART Launch URI: `#{config.options[:launch_uri]}`
+      * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+
+      If using asymmetric client authentication, register Inferno with the
+      following JWK Set URL:
+
+      * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+    DESCRIPTION
+
     group do
       title 'Standalone Launch'
       id :smart_full_standalone_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+
+        If using asymmetric client authentication, register Inferno with the
+        following JWK Set URL:
+
+        * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery_stu2
@@ -98,6 +133,19 @@ module SMARTAppLaunch
       title 'EHR Launch'
       id :smart_full_ehr_launch
 
+      input_instructions <<~INSTRUCTIONS
+        Please register the Inferno client as a SMART App with the following
+        information:
+
+        * SMART Launch URI: `#{config.options[:launch_uri]}`
+        * OAuth Redirect URI: `#{config.options[:redirect_uri]}`
+
+        If using asymmetric client authentication, register Inferno with the
+        following JWK Set URL:
+
+        * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
+      INSTRUCTIONS
+
       run_as_group
 
       group from: :smart_discovery_stu2

data/lib/smart_app_launch/standalone_launch_group.rb

@@ -44,7 +44,8 @@ module SMARTAppLaunch
         client_secret: {
           name: :standalone_client_secret,
           title: 'Standalone Client Secret',
-          description: 'Client Secret provided during registration of Inferno as a standalone application'
+          description: 'Client Secret provided during registration of Inferno as a standalone application. ' \
+                       'Only for clients using confidential symmetric authentication.'
         },
         requested_scopes: {
           name: :standalone_requested_scopes,

data/lib/smart_app_launch/standalone_launch_group_stu2.rb

@@ -1,4 +1,5 @@
 require_relative 'app_redirect_test_stu2'
+require_relative 'token_exchange_stu2_test'
 require_relative 'standalone_launch_group'
 
 module SMARTAppLaunch
@@ -48,5 +49,12 @@ module SMARTAppLaunch
 
     redirect_index = children.find_index { |child| child.id.to_s.end_with? 'app_redirect' }
     children[redirect_index] = children.pop
+
+    test from: :smart_token_exchange_stu2
+
+    token_exchange_index = children.find_index { |child| child.id.to_s.end_with? 'token_exchange' }
+    children[token_exchange_index] = children.pop
+
+    children[token_exchange_index].id('smart_token_exchange')
   end
 end

data/lib/smart_app_launch/token_exchange_stu2_test.rb

@@ -0,0 +1,91 @@
+require_relative 'client_assertion_builder'
+require_relative 'token_exchange_test'
+
+module SMARTAppLaunch
+  class TokenExchangeSTU2Test < TokenExchangeTest
+    title 'OAuth token exchange request succeeds when supplied correct information'
+    description %(
+      After obtaining an authorization code, the app trades the code for an
+      access token via HTTP POST to the EHR authorization server's token
+      endpoint URL, using content-type application/x-www-form-urlencoded, as
+      described in section [4.1.3 of
+      RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.3).
+    )
+    id :smart_token_exchange_stu2
+
+    input :client_auth_encryption_method,
+          title: 'Encryption Method (Confidential Asymmetric Client Auth Only)',
+          type: 'radio',
+          default: 'ES384',
+          options: {
+            list_options: [
+              {
+                label: 'ES384',
+                value: 'ES384'
+              },
+              {
+                label: 'RS384',
+                value: 'RS384'
+              }
+            ]
+          }
+
+    input :client_auth_type,
+          title: 'Client Authentication Method',
+          type: 'radio',
+          options: {
+            list_options: [
+              {
+                label: 'Public',
+                value: 'public'
+              },
+              {
+                label: 'Confidential Symmetric',
+                value: 'confidential_symmetric'
+              },
+              {
+                label: 'Confidential Asymmetric',
+                value: 'confidential_asymmetric'
+              }
+            ]
+          }
+
+    config(
+      inputs: {
+        use_pkce: {
+          default: 'true',
+          options: {
+            list_options: [
+              {
+                label: 'Enabled',
+                value: 'true'
+              }
+            ]
+          }
+        }
+      }
+    )
+
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if client_auth_type == 'confidential_symmetric'
+        assert client_secret.present?,
+               "A client secret must be provided when using confidential symmetric client authentication."
+
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      elsif client_auth_type == 'public'
+        oauth2_params[:client_id] = client_id
+      else
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: ClientAssertionBuilder.build(
+            iss: client_id,
+            sub: client_id,
+            aud: smart_token_url,
+            client_auth_encryption_method: client_auth_encryption_method
+          )
+        )
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_exchange_test.rb

@@ -38,22 +38,26 @@ module SMARTAppLaunch
 
     config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/smart/redirect" }
 
+    def add_credentials_to_request(oauth2_params, oauth2_headers)
+      if client_secret.present?
+        client_credentials = "#{client_id}:#{client_secret}"
+        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
+      else
+        oauth2_params[:client_id] = client_id
+      end
+    end
+
     run do
       skip_if request.query_parameters['error'].present?, 'Error during authorization request'
 
       oauth2_params = {
-        grant_type: 'authorization_code',
         code: code,
-        redirect_uri: config.options[:redirect_uri]
+        redirect_uri: config.options[:redirect_uri],
+        grant_type: 'authorization_code'
       }
       oauth2_headers = { 'Content-Type' => 'application/x-www-form-urlencoded' }
 
-      if client_secret.present?
-        client_credentials = "#{client_id}:#{client_secret}"
-        oauth2_headers['Authorization'] = "Basic #{Base64.strict_encode64(client_credentials)}"
-      else
-        oauth2_params[:client_id] = client_id
-      end
+      add_credentials_to_request(oauth2_params, oauth2_headers)
 
       if use_pkce == 'true'
         oauth2_params[:code_verifier] = pkce_code_verifier

data/lib/smart_app_launch/version.rb

@@ -1,3 +1,3 @@
 module SMARTAppLaunch
-  VERSION = '0.2.2'.freeze
+  VERSION = '0.3.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-03 00:00:00.000000000 Z
+date: 2023-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -134,11 +134,13 @@ files:
 - lib/smart_app_launch/app_launch_test.rb
 - lib/smart_app_launch/app_redirect_test.rb
 - lib/smart_app_launch/app_redirect_test_stu2.rb
+- lib/smart_app_launch/client_assertion_builder.rb
 - lib/smart_app_launch/code_received_test.rb
 - lib/smart_app_launch/discovery_stu1_group.rb
 - lib/smart_app_launch/discovery_stu2_group.rb
 - lib/smart_app_launch/ehr_launch_group.rb
 - lib/smart_app_launch/ehr_launch_group_stu2.rb
+- lib/smart_app_launch/jwks.rb
 - lib/smart_app_launch/launch_received_test.rb
 - lib/smart_app_launch/openid_connect_group.rb
 - lib/smart_app_launch/openid_decode_id_token_test.rb
@@ -149,10 +151,12 @@ files:
 - lib/smart_app_launch/openid_token_header_test.rb
 - lib/smart_app_launch/openid_token_payload_test.rb
 - lib/smart_app_launch/post_auth.html
+- lib/smart_app_launch/smart_jwks.json
 - lib/smart_app_launch/smart_stu1_suite.rb
 - lib/smart_app_launch/smart_stu2_suite.rb
 - lib/smart_app_launch/standalone_launch_group.rb
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
+- lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
 - lib/smart_app_launch/token_payload_validation.rb
 - lib/smart_app_launch/token_refresh_body_test.rb