smart_app_launch_test_kit 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97f3e4dca10ecb9dfe4aa30802d90f4272dd32ffd10715fa7b3a0855a04b5c8d
-  data.tar.gz: 016a700551ef524e7bdc7f8871beb03f7297dc3cba39e5b4b53349b22f22ed53
+  metadata.gz: 60325a0cc4d2866edb260627b289e76676d0847bd2e28523556f39170d424dac
+  data.tar.gz: dd887ba5a645f71f16e9f2269886628ca5911d57c79e3d03699582d6ae810b7f
 SHA512:
-  metadata.gz: 519d2bb8c5bde6a7c5c28f04ec17bfdcff37c7270b6216707a05db4b04c94269d244c6a1888dd97a0c25c5a50764d4969a08c2774dcb636db7fd274301184427
-  data.tar.gz: eda1f5484f72de3a82c34eb1d0424a2b10a327baeb93d6e6df8f94be7a7e3ef378e5e6510378f62e7d9387e56424b42b52f4524fc557302d3a5ddab0654c782e
+  metadata.gz: 16ee6a9963940d5ea882e894b5e1db23646c86a51e1f6dbe58868878c047708a581c0f353ba24d264a4c49cdc8f549f522afc40ee7bbd5127d89b0b9ac7f2e36
+  data.tar.gz: 022f7b43c590f419638e23614a84dc0c5d106b87bbef38dd6d4b2e71650b58bf86db59bd6bb231c04280a0274e105b6486601fb41fa3749485ddfd534a15beb4

data/lib/smart_app_launch/app_redirect_test.rb

@@ -75,7 +75,7 @@ module SMARTAppLaunch
     def authorization_url_builder(url, params)
       uri = URI(url)
 
-      # because the URL might have paramters on it
+      # because the URL might have parameters on it
       original_parameters = Hash[URI.decode_www_form(uri.query || '')]
       new_params = original_parameters.merge(params)
 

data/lib/smart_app_launch/app_redirect_test_stu2.rb

@@ -16,7 +16,7 @@ module SMARTAppLaunch
     )
 
     input :authorization_method,
-          title: 'Authorization Method',
+          title: 'Authorization Request Method',
           type: 'radio',
           default: 'get',
           options: {

data/lib/smart_app_launch/smart_stu2_suite.rb

@@ -6,6 +6,7 @@ require_relative 'discovery_stu2_group'
 require_relative 'standalone_launch_group_stu2'
 require_relative 'ehr_launch_group_stu2'
 require_relative 'openid_connect_group'
+require_relative 'token_introspection_group'
 require_relative 'token_refresh_group'
 
 module SMARTAppLaunch
@@ -55,6 +56,20 @@ module SMARTAppLaunch
       * `#{Inferno::Application[:base_url]}/custom/smart_stu2/.well-known/jwks.json`
     DESCRIPTION
 
+    input_instructions %(
+      When running tests at this level, the token introspection endpoint is not available as a manual input.
+      Instead, group 3 Token Introspection will assume the token introspection endpoint 
+      will be output from group 1 Standalone Launch tests, specifically the SMART On FHIR Discovery tests that query
+      the .well-known/smart-configuration endpoint. However, including the token introspection
+      endpoint as part of the well-known ouput is NOT required and is not formally checked in the SMART On FHIR Discovery
+      tests.  RFC-7662 on Token Introspection says that "The means by which the protected resource discovers the location of the introspection
+      endpoint are outside the scope of this specification" and the Token Introspection IG does not add any further
+      requirements to this.  
+
+      If the token introspection endpoint of the system under test is NOT available at .well-known/smart-configuration, 
+      please run the test groups individually and group 3 Token Introspection will include the introspection endpoint as a manual input.  
+    )
+
     group do
       title 'Standalone Launch'
       id :smart_full_standalone_launch
@@ -204,5 +219,8 @@ module SMARTAppLaunch
               }
             }
     end
+
+    group from: :smart_token_introspection
+
   end
 end

data/lib/smart_app_launch/token_exchange_stu2_test.rb

@@ -33,6 +33,7 @@ module SMARTAppLaunch
     input :client_auth_type,
           title: 'Client Authentication Method',
           type: 'radio',
+          default: 'public',
           options: {
             list_options: [
               {

data/lib/smart_app_launch/token_exchange_test.rb

@@ -71,6 +71,8 @@ module SMARTAppLaunch
       output token_retrieval_time: Time.now.iso8601
 
       token_response_body = JSON.parse(request.response_body)
+
+
       output smart_credentials: {
                refresh_token: token_response_body['refresh_token'],
                access_token: token_response_body['access_token'],
@@ -80,6 +82,7 @@ module SMARTAppLaunch
                token_retrieval_time: token_retrieval_time,
                token_url: smart_token_url
              }.to_json
+      
     end
   end
 end

data/lib/smart_app_launch/token_introspection_access_token_group.rb

@@ -0,0 +1,26 @@
+require_relative 'standalone_launch_group_stu2'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionAccessTokenGroup < Inferno::TestGroup
+    title 'Request New Access Token to Introspect'
+    run_as_group
+
+    id :smart_token_introspection_access_token_group
+
+    description %(
+      These tests are repeated from the Standalone Launch tests in order to receive a new, active access token that
+      will be provided for token introspection. This test group may be skipped if the tester can obtain an access token
+      __and__ the contents of the access token response body by some other means.
+
+      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
+
+    )
+    
+    input_instructions %(
+      Register Inferno as a Standalone SMART App and provide the registration details below.
+    )
+    
+    group from: :smart_discovery_stu2
+    group from: :smart_standalone_launch_stu2
+  end
+end

data/lib/smart_app_launch/token_introspection_group.rb

@@ -0,0 +1,69 @@
+require_relative 'token_introspection_access_token_group'
+require_relative 'token_introspection_response_group'
+require_relative 'token_introspection_request_group'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionGroup < Inferno::TestGroup
+    title 'Token Introspection'
+    id :smart_token_introspection
+    description %(
+      # Background
+
+      OAuth 2.0 Token introspection, as described in [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662), allows
+      an authorized resource server to query an OAuth 2.0 authorization server for metadata on a token.  The
+      [SMART App Launch STU2 Implementation Guide Section on Token Introspection](https://hl7.org/fhir/smart-app-launch/STU2/token-introspection.html)
+      states that "SMART on FHIR EHRs SHOULD support token introspection, which allows a broader ecosystem of resource servers
+      to leverage authorization decisions managed by a single authorization server."
+
+      # Test Methodology
+
+      In these tests, Inferno acts as an authorized resource server that queries the authorization server about an access
+      token, rather than a client to a FHIR resource server as in the previous SMART App Launch tests.
+      Ideally, Inferno should be registered with the authorization server as an authorized resource server
+      capable of accessing the token introspection endpoint through client credentials, per the SMART IG recommendations.
+      However, the SMART IG only formally REQUIRES "some form of authorization" to access
+      the token introspection endpoint and does not specifiy any one specific approach.  As such, the token introspection tests are
+      broken up into three groups that each complete a discrete step in the token introspection process:
+
+      1. **Request Access Token Group** - optional but recommended, repeats a subset of Standalone Launch tests
+        in order to receive a new access token with an authorization code grant.  If skipped, testers will need to
+          obtain an access token out-of-band and manually provide values from the access token response as inputs to
+          the Validate Token Response group.
+      2. **Issue Token Introspection Request Group** - optional but recommended, completes the introspection requests.
+      If skipped, testers will need to complete an introspection request out-of-band and manually provide the introspection
+      responses as inputs to the Validate Token Response group.
+      3. **Validate Token Introspection Response Group** - required, validates the contents of the introspection responses.
+
+      Running all three test groups in order is the simplest and is highly recommended if the environment under test
+      can support it, as outputs from one group will feed the inputs of the next group. However, test groups can be run
+      independently if needed.
+
+      See the individual test groups for more details and guidance.
+    )
+    group from: :smart_token_introspection_access_token_group
+    group from: :smart_token_introspection_request_group
+    group from: :smart_token_introspection_response_group
+
+    input_order :url, :standalone_client_id, :standalone_client_secret,
+                :authorization_method, :use_pkce, :pkce_code_challenge_method,
+                :standalone_requested_scopes, :client_auth_encryption_method,
+                :client_auth_type, :custom_authorization_header,
+                :optional_introspection_request_params
+    input_instructions %(
+      Executing tests at this level will run all three Token Introspection groups back-to-back.  If test groups need
+      to be run independently, exit this window and select a specific test group instead.
+
+      These tests are currently designed such that the token introspection URL must be present in the SMART well-known endpoint.
+
+      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
+      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      server to complete the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must
+      URI-encode any appropriate values.
+    )
+
+  end
+end

data/lib/smart_app_launch/token_introspection_request_group.rb

@@ -0,0 +1,122 @@
+require_relative 'token_exchange_test'
+require_relative 'token_refresh_body_test'
+require_relative 'well_known_endpoint_test'
+require_relative 'standalone_launch_group'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionRequestGroup < Inferno::TestGroup
+    title 'Issue Token Introspection Request'
+    run_as_group
+
+    id :smart_token_introspection_request_group
+    description %(
+      This group of tests executes the token introspection requests and ensures the correct HTTP response is returned
+      but does not validate the contents of the token introspection response. 
+
+      If Inferno cannot reasonably be configured to be authorized to access the token introspection endpoint, these tests 
+      can be skipped.  Instead, an out-of-band token introspection request must be completed and the response body
+      manually provided as input for the Validate Introspection Response test group.
+      )
+
+    input_instructions %(
+      If the Request New Access Token group was executed, the access token input will auto-populate with that token. 
+      Otherwise an active access token needs to be obtained out-of-band and input.  
+        
+      Per [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2), "the definition of an active token is 
+      currently dependent upon the authorization server, but this is commonly a token that has been issued by this 
+      authorization server, is not expired, has not been revoked, and is valid for use at the protected resource making 
+      the introspection call."
+
+      If the introspection endpoint is protected, testers must enter their own HTTP Authorization header for the introspection request.  See
+      [RFC 7616 The 'Basic' HTTP Authentication Scheme](https://datatracker.ietf.org/doc/html/rfc7617) for the most common
+      approach that uses client credentials.  Testers may also provide any additional parameters needed for their authorization 
+      server to complete the introspection request.
+
+      **Note:** For both the Authorization header and request parameters, user-input
+      values will be sent exactly as entered and therefore the tester must URI-encode any appropriate values.
+    )
+
+    input :well_known_introspection_url, 
+          title: 'Token Introspection Endpoint URL', 
+          description: 'The complete URL of the token introspection endpoint.'
+
+    input :custom_authorization_header,
+          title: 'HTTP Authorization Header for Introspection Request',
+          type: 'textarea',
+          optional: true,
+          description: %(
+            Include header name, auth scheme, and auth parameters.
+            Ex: 'Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW' 
+            )
+
+    input :optional_introspection_request_params,
+          title: 'Additional Introspection Request Parameters',
+          type: 'textarea',
+          optional: true,
+          description: %(
+            Any additional parameters to append to the request body, separated by &. Example: 'param1=abc&param2=def'  
+          )
+
+    test do
+      title 'Token introspection endpoint returns a response when provided an active token'
+      description %(
+      This test will execute a token introspection request for an active token and ensure a 200 status and valid JSON
+      body are returned in the response. 
+      )
+
+      input :standalone_access_token, 
+            title: 'Access Token',
+            description: 'The access token to be introspected. MUST be active.'
+
+
+      output :active_token_introspection_response_body
+
+      run do
+
+        # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
+        skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
+
+        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        body = "token=#{standalone_access_token}"
+
+        if custom_authorization_header.present?
+          parsed_header = custom_authorization_header.split(':', 2)
+          assert parsed_header.length == 2, "Incorrect custom HTTP header format input, expected: '<header name>: <header value>'"
+          headers[parsed_header[0]] = parsed_header[1].strip
+        end
+
+        if optional_introspection_request_params.present?
+          body += "&#{optional_introspection_request_params}"
+        end
+
+        post(well_known_introspection_url, body: body, headers: headers)
+
+        assert_response_status(200)
+        output active_token_introspection_response_body: request.response_body
+      end
+    
+    end
+
+    test do 
+      title 'Token introspection endpoint returns a response when provided an invalid token'
+      description %(
+        This test will execute a token introspection request for an invalid token and ensure a 200 status and valid JSON
+        body are returned in response. 
+      )
+
+      output :invalid_token_introspection_response_body
+      run do
+
+        # If this is being chained from an earlier test, it might be blank if not present in the well-known endpoint
+        skip_if well_known_introspection_url.nil?, 'No introspection URL present in SMART well-known endpoint.'
+
+        headers = {'Accept' => 'application/json', 'Content-Type' => 'application/x-www-form-urlencoded'}
+        body = "token=invalid_token_value"
+        post(well_known_introspection_url, body: body, headers: headers)
+        
+        assert_response_status(200)
+        output invalid_token_introspection_response_body: request.response_body
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_introspection_response_group.rb

@@ -0,0 +1,191 @@
+require_relative 'token_introspection_request_group'
+require_relative 'token_exchange_test'
+
+module SMARTAppLaunch
+  class SMARTTokenIntrospectionResponseGroup < Inferno::TestGroup
+    title 'Validate Token Introspection Response'
+    run_as_group
+
+    id :smart_token_introspection_response_group
+    description %(
+      This group of tests validates the contents of the token introspection response by comparing the fields and/or
+      values in the token introspection response to the fields and/or values of the original access token response
+      in which the access token was given to the client.
+      )
+
+      input_instructions %(
+        There are two categories of input for this test group: 
+
+        1. The access token response values, which will dictate what the tests will expect to find in the token
+        introspection response.  If the Request New Access Token group was run, these inputs will auto-populate.
+        
+        2. The token introspection response bodies. If the Issue Introspection Request test group was run, these will
+        auto-populate; otherwise, the tester will need to an run out-of-band INTROSPECTION requests for a. An ACTIVE
+        access token, AND b. An INACTIVE OR INVALID token
+
+        See [RFC-7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2) for details on active vs inactive tokens.
+      )
+      
+    test do 
+      title 'Token introspection response for an active token contains required fields'
+
+      description %(
+        This test will check whether the metadata in the token introspection response is correct for an active token and
+        that the response data matches the data in the original access token and/or access token response from the
+        authorization server, including the following:
+
+        Required:
+        * `active` claim is set to true
+        * `scope`, `client_id`, and `exp` claim(s) match between introspection response and access token
+
+        It is not possible to know what the expected value for `exp` is in advance, so Inferno tests that the claim is
+        present and represents a time greater than or equal to 10 minutes in the past. 
+
+        Conditionally Required:
+        * IF launch context parameter(s) included in access token, introspection response includes claim(s) for 
+        launch context parameter(s) 
+          * Parameters checked for are `patient` and `encounter`
+        * IF identity token was included as part of access token response, `iss` and `sub` claims are present in the
+        introspection response and match those of the orignal ID token
+
+        Optional but Recommended:
+        * IF identity token was included as part of access token response, `fhirUser` claim SHOULD be present in 
+        introspection response and should match the claim in the ID token
+      )
+
+      input :standalone_client_id,
+            title: 'Access Token client_id',
+            description: 'ID of the client that requested the access token being introspected'
+
+
+      input :standalone_received_scopes,
+            title: 'Expected Introspection Response Value: scope',
+            description: 'A space-separated list of scopes from the original access token response body'
+      
+      input :standalone_id_token,
+            title: 'Access Token Response: id_token',
+            type: 'textarea',
+            optional: true,
+            description: 'The ID token from the original access token response body, IF it was present'
+
+      input :standalone_patient_id,
+            title: 'Expected Introspection Response for Patient Launch Context Parameter',
+            optional: true,
+            description: 'The value for patient launch context from the original access token response body, IF it was present'
+
+      input :standalone_encounter_id,
+            title: 'Expected Introspection Response for Encounter Launch Context Parameter',
+            optional: true,
+            description: 'The value for encounter launch context from the original access token response body, IF it was present'
+
+      input :active_token_introspection_response_body,
+            title: 'Active Token Introspection Response Body',
+            type: 'textarea',
+            description: 'The JSON body of the token introspection response when provided an ACTIVE token'
+
+      def get_json_claim_value(json_response, claim_key)
+        claim_value = json_response[claim_key]
+        assert claim_value != nil, "Failure: introspection response has no claim for '#{claim_key}'"
+        return claim_value
+      end
+      
+      def assert_introspection_response_match(json_response, claim_key, expected_value)
+        expected_value = expected_value.strip
+        claim_value = get_json_claim_value(json_response, claim_key)
+        claim_value = claim_value.strip
+        assert claim_value.eql?(expected_value), 
+            "Failure: expected introspection response value for '#{claim_key}' to match expected value '#{expected_value}'"
+      end
+
+      run do
+        skip_if active_token_introspection_response_body.nil?, 'No introspection response available to validate.'
+        assert_valid_json(active_token_introspection_response_body)
+        active_introspection_response_body_parsed = JSON.parse(active_token_introspection_response_body)
+
+        # Required Fields
+        assert active_introspection_response_body_parsed['active'] == true, "Failure: expected introspection response for 'active' to be Boolean value true for valid token"
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'client_id', standalone_client_id)
+
+        response_scope_value = get_json_claim_value(active_introspection_response_body_parsed, 'scope')
+
+        # splitting contents and comparing values allows a scope lists with the same contents but different orders to still pass
+        response_scopes_split = response_scope_value.split()
+        expected_scopes_split = standalone_received_scopes.split()
+
+        assert response_scopes_split.length() == expected_scopes_split.length(), 
+          "Failure: number of scopes in introspection response, #{response_scopes_split.length()}, does not match number of scopes in access token response, #{expected_scopes_split.length()}"
+
+        expected_scopes_split.each do |scope|
+          assert response_scopes_split.include?(scope), "Failure: expected scope '#{scope}' not present in introspection response scopes"
+        end
+
+        # Cannot verify exact value for exp, so instead ensure its value represents a time >= 10 minutes in the past 
+        exp = active_introspection_response_body_parsed['exp']
+        assert exp != nil, "Failure: introspection response has no claim for 'exp'"
+        current_time = Time.now.to_i 
+        assert exp.to_i >= current_time - 600, "Failure: expired token, exp claim of #{exp} for active token is more than 10 minutes in the past"
+        
+        # Conditional fields
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'patient', standalone_patient_id) if standalone_patient_id.present?
+        assert_introspection_response_match(active_introspection_response_body_parsed, 'encounter', standalone_encounter_id) if standalone_encounter_id.present?
+
+        # ID Token Fields
+        if standalone_id_token.present?
+          id_payload, id_header =
+          JWT.decode(
+            standalone_id_token,
+            nil,
+            false
+          )
+         
+          # Required fields if ID token present
+          id_token_iss = id_payload['iss']
+          id_token_sub = id_payload['sub']
+
+          assert id_token_iss != nil, "Failure: ID token from access token response does not have 'iss' claim"
+          assert id_token_sub != nil, "Failure: ID token from access token response does not have 'sub' claim"
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'iss', id_token_iss)
+          assert_introspection_response_match(active_introspection_response_body_parsed, 'sub', id_token_sub)
+
+          # fhirUser not required but recommended
+          fhirUser_id_claim = id_payload['fhirUser']
+          fhirUser_intr_claim = active_introspection_response_body_parsed['fhirUser']
+
+          info do 
+            assert fhirUser_intr_claim != nil, "Introspection response SHOULD include claim for fhirUser because ID token present in access token response" if fhirUser_id_claim != nil
+            assert fhirUser_intr_claim.eql?(fhirUser_id_claim), "Introspection response claim for fhirUser SHOULD match value in ID token" if fhirUser_id_claim != nil
+          end
+        end
+      end
+    end
+
+    test do
+      title 'Token introspection response for an invalid token contains required fields'
+
+      description %(
+        From [RFC7662 OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2):
+        "If the introspection call is properly authorized but the token is not
+        active, does not exist on this server, or the protected resource is
+        not allowed to introspect this particular token, then the
+        authorization server MUST return an introspection response with the
+        "active" field set to "false".  Note that to avoid disclosing too
+        much of the authorization server's state to a third party, the
+        authorization server SHOULD NOT include any additional information
+        about an inactive token, including why the token is inactive."
+      )
+
+      input :invalid_token_introspection_response_body,
+            title: 'Invalid Token Introspection Response Body',
+            type: 'textarea',
+            description: 'The JSON body of the token introspection response when provided an INVALID token'
+
+      run do
+        skip_if invalid_token_introspection_response_body.nil?, 'No invalid introspection response available to validate.'
+        assert_valid_json(invalid_token_introspection_response_body)
+        invalid_token_introspection_response_body_parsed = JSON.parse(invalid_token_introspection_response_body)
+        assert invalid_token_introspection_response_body_parsed['active'] == false, "Failure: expected introspection response for 'active' to be Boolean value false for invalid token"
+        assert invalid_token_introspection_response_body_parsed.size == 1, "Failure: expected only 'active' field to be present in introspection response for invalid token"
+      end
+    end
+  end
+end

data/lib/smart_app_launch/token_payload_validation.rb

@@ -3,6 +3,69 @@ module SMARTAppLaunch
     STRING_FIELDS = ['access_token', 'token_type', 'scope', 'refresh_token'].freeze
     NUMERIC_FIELDS = ['expires_in'].freeze
 
+    # All resource types from DSTU3, STU3, R4, R4B, and R5
+    FHIR_RESOURCE_TYPES = [
+      "Account", "ActivityDefinition", "ActorDefinition",
+      "AdministrableProductDefinition", "AdverseEvent", "AllergyIntolerance",
+      "Appointment", "AppointmentResponse", "ArtifactAssessment", "AuditEvent",
+      "Basic", "Binary", "BiologicallyDerivedProduct",
+      "BiologicallyDerivedProductDispense", "BodySite", "BodyStructure",
+      "Bundle", "CapabilityStatement", "CarePlan", "CareTeam", "CatalogEntry",
+      "ChargeItem", "ChargeItemDefinition", "Citation", "Claim",
+      "ClaimResponse", "ClinicalImpression", "ClinicalUseDefinition",
+      "CodeSystem", "Communication", "CommunicationRequest",
+      "CompartmentDefinition", "Composition", "ConceptMap", "Condition",
+      "ConditionDefinition", "Conformance", "Consent", "Contract", "Coverage",
+      "CoverageEligibilityRequest", "CoverageEligibilityResponse",
+      "DataElement", "DetectedIssue", "Device", "DeviceAssociation",
+      "DeviceComponent", "DeviceDefinition", "DeviceDispense", "DeviceMetric",
+      "DeviceRequest", "DeviceUsage", "DeviceUseRequest", "DeviceUseStatement",
+      "DiagnosticOrder", "DiagnosticReport", "DocumentManifest",
+      "DocumentReference", "EffectEvidenceSynthesis", "EligibilityRequest",
+      "EligibilityResponse", "Encounter", "EncounterHistory", "Endpoint",
+      "EnrollmentRequest", "EnrollmentResponse", "EpisodeOfCare",
+      "EventDefinition", "Evidence", "EvidenceReport", "EvidenceVariable",
+      "ExampleScenario", "ExpansionProfile", "ExplanationOfBenefit",
+      "FamilyMemberHistory", "Flag", "FormularyItem", "GenomicStudy", "Goal",
+      "GraphDefinition", "Group", "GuidanceResponse", "HealthcareService",
+      "ImagingManifest", "ImagingObjectSelection", "ImagingSelection",
+      "ImagingStudy", "Immunization", "ImmunizationEvaluation",
+      "ImmunizationRecommendation", "ImplementationGuide", "Ingredient",
+      "InsurancePlan", "InventoryItem", "InventoryReport", "Invoice", "Library",
+      "Linkage", "List", "Location", "ManufacturedItemDefinition", "Measure",
+      "MeasureReport", "Media", "Medication", "MedicationAdministration",
+      "MedicationDispense", "MedicationKnowledge", "MedicationOrder",
+      "MedicationRequest", "MedicationStatement", "MedicinalProduct",
+      "MedicinalProductAuthorization", "MedicinalProductContraindication",
+      "MedicinalProductDefinition", "MedicinalProductIndication",
+      "MedicinalProductIngredient", "MedicinalProductInteraction",
+      "MedicinalProductManufactured", "MedicinalProductPackaged",
+      "MedicinalProductPharmaceutical", "MedicinalProductUndesirableEffect",
+      "MessageDefinition", "MessageHeader", "MolecularSequence", "NamingSystem",
+      "NutritionIntake", "NutritionOrder", "NutritionProduct", "Observation",
+      "ObservationDefinition", "OperationDefinition", "OperationOutcome",
+      "Order", "OrderResponse", "Organization", "OrganizationAffiliation",
+      "PackagedProductDefinition", "Patient", "PaymentNotice",
+      "PaymentReconciliation", "Permission", "Person", "PlanDefinition",
+      "Practitioner", "PractitionerRole", "Procedure", "ProcedureRequest",
+      "ProcessRequest", "ProcessResponse", "Provenance", "Questionnaire",
+      "QuestionnaireResponse", "ReferralRequest", "RegulatedAuthorization",
+      "RelatedPerson", "RequestGroup", "RequestOrchestration", "Requirements",
+      "ResearchDefinition", "ResearchElementDefinition", "ResearchStudy",
+      "ResearchSubject", "RiskAssessment", "RiskEvidenceSynthesis", "Schedule",
+      "SearchParameter", "Sequence", "ServiceDefinition", "ServiceRequest",
+      "Slot", "Specimen", "SpecimenDefinition", "StructureDefinition",
+      "StructureMap", "Subscription", "SubscriptionStatus", "SubscriptionTopic",
+      "Substance", "SubstanceDefinition", "SubstanceNucleicAcid",
+      "SubstancePolymer", "SubstanceProtein", "SubstanceReferenceInformation",
+      "SubstanceSourceMaterial", "SubstanceSpecification", "SupplyDelivery",
+      "SupplyRequest", "Task", "TerminologyCapabilities", "TestPlan",
+      "TestReport", "TestScript", "Transport", "ValueSet", "VerificationResult",
+      "VisionPrescription"
+    ].to_set.freeze
+
+    FHIR_ID_REGEX = /[A-Za-z0-9\-\.]{1,64}(\/_history\/[A-Za-z0-9\-\.]{1,64})?(#[A-Za-z0-9\-\.]{1,64})?/.freeze
+
     def validate_required_fields_present(body, required_fields)
       missing_fields = required_fields.select { |field| body[field].blank? }
       missing_fields_string = missing_fields.map { |field| "`#{field}`" }.join(', ')
@@ -49,5 +112,25 @@ module SMARTAppLaunch
                  "Expected `#{field}` to be a Numeric, but found #{body[field].class.name}"
         end
     end
+
+    def validate_fhir_context(fhir_context)
+      return if fhir_context.nil?
+
+      assert fhir_context.is_a?(Array), "`fhirContext` field is a #{fhir_context.class.name}, but should be an Array"
+
+      fhir_context.each do |reference|
+        assert reference.is_a?(String), "`#{reference.inspect}` is not a string"
+      end
+
+      fhir_context.each do |reference|
+        assert !reference.start_with?('http'), "`#{reference}` is not a relative reference"
+
+        resource_type, id = reference.split('/')
+        assert FHIR_RESOURCE_TYPES.include?(resource_type),
+               "`#{resource_type}` is not a valid FHIR resource type"
+
+        assert id.match?(FHIR_ID_REGEX), "`#{id}` is not a valid FHIR id"
+      end
+    end
   end
 end

data/lib/smart_app_launch/token_response_body_test.rb

@@ -11,6 +11,8 @@ module SMARTAppLaunch
       has been denied. `access_token`, `token_type`, and `scope` are required.
       `token_type` must be Bearer. `expires_in` is required for token
       refreshes.
+
+      The format of the optional `fhirContext` field is validated if present.
     )
     id :smart_token_response_body
 
@@ -48,6 +50,8 @@ module SMARTAppLaunch
       assert access_token.present?, 'Token response did not contain an access token'
       assert token_response_body['token_type']&.casecmp('Bearer')&.zero?,
              '`token_type` field must have a value of `Bearer`'
+
+      validate_fhir_context(token_response_body['fhirContext'])
     end
   end
 end

data/lib/smart_app_launch/version.rb

@@ -1,3 +1,3 @@
 module SMARTAppLaunch
-  VERSION = '0.3.0'.freeze
+  VERSION = '0.4.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-08-08 00:00:00.000000000 Z
+date: 2023-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.6'
 - !ruby/object:Gem::Dependency
   name: tls_test_kit
   requirement: !ruby/object:Gem::Requirement
@@ -158,6 +158,10 @@ files:
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
 - lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
+- lib/smart_app_launch/token_introspection_access_token_group.rb
+- lib/smart_app_launch/token_introspection_group.rb
+- lib/smart_app_launch/token_introspection_request_group.rb
+- lib/smart_app_launch/token_introspection_response_group.rb
 - lib/smart_app_launch/token_payload_validation.rb
 - lib/smart_app_launch/token_refresh_body_test.rb
 - lib/smart_app_launch/token_refresh_group.rb