smart_app_launch_test_kit 0.6.0 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbce79e8d195045070c2257dc897fa511b981071d366875bf3aa36ccb338dbdd
-  data.tar.gz: 5ea51bb46c93c23186fa620908287f69bab62d42c8f5ecbf0ff70d39ec8523e0
+  metadata.gz: 2608337f4d0d2651ba2395ecda2f89263ebe14d039f3d730ae2f82df3fe49855
+  data.tar.gz: b7a480f55c94dec25865151faefd76045096d21b5333a9c5bf56cf73eb7310bd
 SHA512:
-  metadata.gz: 7f6d08a9ea9be426cd26e67fcbfa96bc4051b83aa9d38837f77fda2f9715a84e766182993a8e1f725fa945ea9c0bbf68f32155827482d7100036e20f02fd9e97
-  data.tar.gz: cba999b57e6317c865fc1b98dd56a042b98d2439af5ec8e28ffefd58d52e871513cd7152f640a9d449f1145a870b66ae1fd6d2343376cf0347eb52f8c2373c6d
+  metadata.gz: 853bd240f1fccdfd72ab79ff89b420b9b1edebd1d1fbd01e9dd3f1e206a29fae3f84f79371e0c7406dc9f3f5bde6ddf7ef51167cf2537f97b56bc36d245d7ef8
+  data.tar.gz: 5cf5840b0061bb6605e68e5d2ce4bf8e07c3039b4e53d8678b2d5cad19e27c352c751eadc8325dfd6ba3df02ddc28f9a7a8e5664eda85aa6cb77c93d1485b52a

data/config/presets/SMART_RunClientAgainstServer.json.erb

@@ -0,0 +1,31 @@
+{
+  "title": "Demo: Run Against the SMART Server Suite",
+  "id": "smart_run_client_against_server_v2_2",
+  "test_suite_id": "smart_client_stu2_2",
+  "inputs": [
+    {
+      "name": "smart_jwk_set",
+      "description": "The SMART client's JSON Web Key Set. May be provided as either a publicly accessible url containing the JWKS, or the raw JWKS.",
+      "optional": true,
+      "title": "SMART JSON Web Key Set (JWKS)",
+      "type": "textarea",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/smart_stu2_2/.well-known/jwks.json"
+    },
+    {
+      "name": "client_id",
+      "description": "If a particular client id is desired, put it here. Otherwise a default of the Inferno session id will be used.",
+      "optional": true,
+      "title": "Client Id",
+      "type": "text",
+      "value": "smart_client_test_demo"
+    },
+    {
+      "name": "echoed_fhir_response",
+      "description": "JSON representation of a FHIR resource for Inferno to echo when a request is made to the simulated FHIR server. The provided content will be echoed back exactly and no check will be made that it is appropriate for the request made. If nothing is provided, an OperationOutcome will be returned.",
+      "optional": true,
+      "title": "FHIR Response to Echo",
+      "type": "textarea",
+      "value": "{\n  \"resourceType\": \"Patient\",\n  \"id\": \"example\",\n  \"name\": [\n    {\n      \"family\": \"Chalmers\",\n      \"given\": [\n        \"Peter\",\n        \"James\"\n      ]\n    }\n  ],\n  \"gender\": \"male\",\n  \"birthDate\": \"1974-12-25\",\n  \"address\": [\n    {\n      \"line\": [\n        \"534 Erewhon St\"\n      ],\n      \"city\": \"Ann Arbor\",\n      \"state\": \"MI\",\n      \"postalCode\": \"48108\"\n    }\n  ]\n}"
+    }
+  ]
+}

data/config/presets/SMART_RunServerAgainstClient.json.erb

@@ -0,0 +1,42 @@
+{
+  "title": "Demo: Run Against the SMART Client Suite",
+  "id": "smart_run_server_against_client_v2_2",
+  "test_suite_id": "smart_stu2_2",
+  "inputs": [
+    {
+      "name": "url",
+      "description": "URL of the FHIR endpoint used by SMART applications",
+      "title": "FHIR Endpoint",
+      "type": "text",
+      "value": "<%= Inferno::Application['base_url'] %>/custom/smart_client_stu2_2/fhir"
+    },
+    {
+      "name": "backend_services_smart_auth_info",
+      "options": {
+        "mode": "auth",
+        "components": [
+          {
+            "name": "auth_type",
+            "default": "backend_services",
+            "locked": "true"
+          },
+          {
+            "name": "use_discovery",
+            "locked": true
+          }
+        ]
+      },
+      "title": "Backend Services Credentials",
+      "type": "auth_info",
+      "value": {
+        "encryption_algorithm": "ES384",
+        "auth_type": "backend_services",
+        "use_discovery": "true",
+        "token_url": "<%= Inferno::Application['base_url'] %>/custom/smart_client_stu2_2/auth/token",
+        "requested_scopes": "system/*.rs",
+        "client_id": "smart_client_test_demo"
+      },
+      "default": {}
+    }
+  ]
+}

data/lib/smart_app_launch/backend_services_authorization_group.rb

@@ -31,8 +31,6 @@ module SMARTAppLaunch
             ]
           }
 
-    output :bearer_token
-
     test from: :smart_tls,
          id: :smart_backend_services_token_tls_version,
          title: 'Authorization service token endpoint secured by transport layer security',

data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb

@@ -23,7 +23,7 @@ module SMARTAppLaunch
             ]
           }
 
-    output :authentication_response
+    output :authentication_response, :smart_auth_info
 
     run do
       post_request_content = BackendServicesAuthorizationRequestBuilder.build(
@@ -40,7 +40,10 @@ module SMARTAppLaunch
 
       assert_response_status([200, 201])
 
-      output authentication_response: authentication_response.response_body
+      smart_auth_info.issue_time = Time.now
+
+      output authentication_response: authentication_response.response_body,
+             smart_auth_info: smart_auth_info
     end
   end
 end

data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb

@@ -29,7 +29,7 @@ module SMARTAppLaunch
               }
             ]
           }
-    output :bearer_token, :smart_auth_info
+    output :bearer_token, :smart_auth_info, :received_scopes
 
     run do
       skip_if authentication_response.blank?, 'No authentication response received.'
@@ -38,11 +38,15 @@ module SMARTAppLaunch
       response_body = JSON.parse(authentication_response)
 
       access_token = response_body['access_token']
+      received_scopes = response_body['scope']
+      expires_in = response_body['expires_in']
+
       assert access_token.present?, 'Token response did not contain access_token as required'
 
       smart_auth_info.access_token = access_token
+      smart_auth_info.expires_in = expires_in
 
-      output bearer_token: access_token, smart_auth_info: smart_auth_info
+      output bearer_token: access_token, smart_auth_info: smart_auth_info, received_scopes: received_scopes
 
       required_keys = ['token_type', 'expires_in', 'scope']
 

data/lib/smart_app_launch/client_stu2_2_suite.rb

@@ -0,0 +1,79 @@
+require_relative 'endpoints/mock_smart_server/token'
+require_relative 'endpoints/echoing_fhir_responder'
+require_relative 'urls'
+require_relative 'client_suite/client_registration_group'
+require_relative 'client_suite/client_access_group'
+
+module SMARTAppLaunch
+  class SMARTClientSTU22Suite < Inferno::TestSuite
+    id :smart_client_stu2_2 # rubocop:disable Naming/VariableNumber
+    title 'SMART App Launch STU2.2 Client'
+    description File.read(File.join(__dir__, 'docs', 'smart_stu2_2_client_suite_description.md'))
+
+    links [
+      {
+        type: 'source_code',
+        label: 'Open Source',
+        url: 'https://github.com/inferno-framework/smart-app-launch-test-kit/'
+      },
+      {
+        type: 'report_issue',
+        label: 'Report Issue',
+        url: 'https://github.com/inferno-framework/smart-app-launch-test-kit/issues/'
+      },
+      {
+        type: 'download',
+        label: 'Download',
+        url: 'https://github.com/inferno-framework/smart-app-launch-test-kit/releases/'
+      },
+      {
+        type: 'ig',
+        label: 'Implementation Guide',
+        url: 'https://hl7.org/fhir/smart-app-launch/STU2.2/'
+      }
+    ]
+
+    route(:get, SMART_DISCOVERY_PATH, ->(_env) {MockSMARTServer.smart_server_metadata(id) }) 
+    suite_endpoint :post, TOKEN_PATH, MockSMARTServer::TokenEndpoint
+    suite_endpoint :get, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :post, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :put, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, FHIR_PATH, EchoingFHIRResponderEndpoint
+    suite_endpoint :get, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :post, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :put, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, "#{FHIR_PATH}/:one", EchoingFHIRResponderEndpoint
+    suite_endpoint :get, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :post, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :put, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, "#{FHIR_PATH}/:one/:two", EchoingFHIRResponderEndpoint
+    suite_endpoint :get, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+    suite_endpoint :post, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+    suite_endpoint :put, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+    suite_endpoint :delete, "#{FHIR_PATH}/:one/:two/:three", EchoingFHIRResponderEndpoint
+
+    resume_test_route :get, RESUME_PASS_PATH do |request|
+      request.query_parameters['token']
+    end
+
+    resume_test_route :get, RESUME_FAIL_PATH, result: 'fail' do |request|
+      request.query_parameters['token']
+    end
+
+    group do
+      title 'SMART Backend Services'
+      description %(
+        During these tests, the client will use SMART Backend Services
+        to access a FHIR API. Clients will provide registeration details,
+        obtain an access token, and use the access token when making a
+        request to a FHIR API.
+      )
+
+      input :smart_jwk_set,
+            optional: false
+
+      group from: :smart_client_registration
+      group from: :smart_client_access
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/client_access_group.rb

@@ -0,0 +1,26 @@
+require_relative 'client_access_interaction_test'
+require_relative 'client_token_request_verification_test'
+require_relative 'client_token_use_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientAccess < Inferno::TestGroup
+    id :smart_client_access
+    title 'Client Access'
+    description %(
+      During these tests, the client system will access Inferno's simulated
+      FHIR server by requesting an access token and making a FHIR request.
+      Inferno will then verify that any token requests made were conformant
+      and that a token returned from a token request was used on an access request.
+    )
+
+    run_as_group
+
+    input :smart_jwk_set,
+          optional: true,
+          locked: true
+
+    test from: :smart_client_access_interaction
+    test from: :smart_client_token_request_verification
+    test from: :smart_client_token_use_verification
+  end
+end

data/lib/smart_app_launch/client_suite/client_access_interaction_test.rb

@@ -0,0 +1,64 @@
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+
+module SMARTAppLaunch
+  class SMARTClientAccessInteraction < Inferno::Test
+    include URLs
+
+    id :smart_client_access_interaction
+    title 'Perform SMART-secured Access'
+    description %(
+      During this test, Inferno will wait for the client to access data
+      using a SMART token obtained during earlier tests.
+    )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          locked: true,
+          description: %(
+            The registered Client Id for use in obtaining access tokens.
+            Create a new session if you need to change this value.
+          )
+    input :smart_jwk_set,
+          title: 'JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          optional: true,
+          locked: true,
+          description: %(
+            The SMART client's JSON Web Key Set in the form of either a publicly accessible url
+            containing the JWKS, or the raw JWKS JSON. Must include the key(s) Inferno will need to
+            verify signatures on token requests made by the client.
+            Create a new session if you need to change this value.
+          )
+    input :echoed_fhir_response,
+          title: 'FHIR Response to Echo',
+          type: 'textarea',
+          description: %(
+            JSON representation of a FHIR resource for Inferno to echo when a request
+            is made to the simulated FHIR server. The provided content will be echoed
+            back exactly and no check will be made that it is appropriate for the request
+            made. If nothing is provided, an OperationOutcome will be returned.
+          ),
+          optional: true
+
+    run do
+      wait(
+        identifier: client_id,
+        message: %(
+            **Access**
+
+            Use the registered client id (#{client_id}) to obtain an access
+            token using SMART Backend Services
+            and use that token to access a FHIR endpoint under the simulated server's base URL
+
+            `#{client_fhir_base_url}`
+
+            Inferno will echo the response provided in the **FHIR Response to Echo** input.
+
+            [Click here](#{client_resume_pass_url}?token=#{client_id}) once you performed
+            the access.
+          )
+      )
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/client_registration_group.rb

@@ -0,0 +1,15 @@
+require_relative 'client_registration_verification_test'
+
+module SMARTAppLaunch
+  class SMARTClientRegistration < Inferno::TestGroup
+    id :smart_client_registration
+    title 'Client Registration'
+    description %(
+      During these tests, Inferno will verify the registration details provided as inputs,
+      including the client's JSON Web Key Set.
+    )
+    run_as_group
+
+    test from: :smart_client_registration_verification
+  end
+end

data/lib/smart_app_launch/client_suite/client_registration_verification_test.rb

@@ -0,0 +1,52 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+
+module SMARTAppLaunch
+  class SMARTClientRegistrationVerification < Inferno::Test
+
+    id :smart_client_registration_verification
+    title 'Verify SMART Registration'
+    description %(
+      During this test, Inferno will verify that the SMART registration details
+      provided are conformant.
+    )
+    input :smart_jwk_set,
+          title: 'SMART JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          description: %(
+            The SMART client's JSON Web Key Set including the key(s) Inferno will need to
+            verify signatures on token requests made by the client. May be provided as either
+            a publicly accessible url containing the JWKS, or the raw JWKS JSON.
+          )
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: true,
+          description: %(
+            If a particular client id is desired, put it here. Otherwise a
+            default of the Inferno session id will be used.
+          )
+
+    output :client_id
+
+    run do
+      omit_if smart_jwk_set.blank?, # for re-use: mark the smart_jwk_set input as optional when importing to enable
+        'Not configured for SMART authentication.'
+
+      if client_id.blank?
+        client_id = test_session_id
+        output(client_id:)
+      end
+
+      jwks_warnings = []
+      parsed_smart_jwk_set = MockSMARTServer.jwk_set(smart_jwk_set, jwks_warnings)
+      jwks_warnings.each { |warning| add_message('warning', warning) }
+
+      assert parsed_smart_jwk_set.length.positive?, 'JWKS content does not include any valid keys.'
+
+      # TODO: add key-specific verification per end of https://build.fhir.org/ig/HL7/smart-app-launch/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys
+
+      assert messages.none? { |msg| msg[:type] == 'error' }, 'Invalid key set provided. See messages for details'
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/client_token_request_verification_test.rb

@@ -0,0 +1,146 @@
+require_relative '../tags'
+require_relative '../urls'
+require_relative '../endpoints/mock_smart_server'
+
+module SMARTAppLaunch
+  class SMARTClientTokenRequestVerification < Inferno::Test
+    include URLs
+
+    id :smart_client_token_request_verification
+    title 'Verify SMART Token Requests'
+    description %(
+        Check that SMART token requests are conformant.
+      )
+
+    input :client_id,
+          title: 'Client Id',
+          type: 'text',
+          optional: false,
+          locked: true,
+          description: %(
+            The registered Client Id for use in obtaining access tokens.
+            Create a new session if you need to change this value.
+          )
+    input :smart_jwk_set,
+          title: 'JSON Web Key Set (JWKS)',
+          type: 'textarea',
+          optional: false,
+          locked: true,
+          description: %(
+            The SMART client's JSON Web Key Set in the form of either a publicly accessible url
+            containing the JWKS, or the raw JWKS JSON. Must include the key(s) Inferno will need to
+            verify signatures on token requests made by the client.
+            Create a new session if you need to change this value.
+          )
+    output :smart_tokens
+
+    run do
+      omit_if smart_jwk_set.blank?, # for re-use: mark the smart_jwk_set input as optional when importing to enable
+              'SMART Backend Services authentication not demonstrated as a part of this test session.'
+
+      load_tagged_requests(TOKEN_TAG, SMART_TAG)
+      skip_if requests.blank?, 'No SMART token requests made.'
+
+      jti_list = []
+      token_list = []
+      requests.each_with_index do |token_request, index|
+        request_params = URI.decode_www_form(token_request.request_body).to_h
+        check_request_params(request_params, index + 1)
+        check_client_assertion(request_params['client_assertion'], index + 1, jti_list)
+        token_list << extract_token_from_response(token_request)
+      end
+
+      output smart_tokens: token_list.compact.join("\n")
+
+      assert messages.none? { |msg|
+        msg[:type] == 'error'
+      }, 'Invalid token requests detected. See messages for details.'
+    end
+
+    def check_request_params(params, request_num)
+      if params['grant_type'] != 'client_credentials'
+        add_message('error',
+                    "Token request #{request_num} had an incorrect `grant_type`: expected 'client_credentials', " \
+                    "but got '#{params['grant_type']}'")
+      end
+      if params['client_assertion_type'] != 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        add_message('error',
+                    "Token request #{request_num} had an incorrect `client_assertion_type`: " \
+                    "expected 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', " \
+                    "but got '#{params['client_assertion_type']}'")
+      end
+      return unless params['scope'].blank?
+
+      add_message('error', "Token request #{request_num} did not include the requested `scope`")
+    end
+
+    def check_client_assertion(assertion, request_num, jti_list)
+      decoded_token =
+        begin
+          JWT::EncodedToken.new(assertion)
+        rescue StandardError => e
+          add_message('error', "Token request #{request_num} contained an invalid client assertion jwt: #{e}")
+          nil
+        end
+
+      return unless decoded_token.present?
+
+      check_jwt_header(decoded_token.header, request_num)
+      check_jwt_payload(decoded_token.payload, request_num, jti_list)
+      check_jwt_signature(decoded_token, request_num)
+    end
+
+    def check_jwt_header(header, request_num)
+      return unless header['typ'] != 'JWT'
+
+      add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `typ` header: " \
+                           "expected 'JWT', got '#{header['typ']}'")
+    end
+
+    def check_jwt_payload(claims, request_num, jti_list)
+      if claims['iss'] != client_id
+        add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `iss` claim: " \
+                             "expected '#{client_id}', got '#{claims['iss']}'")
+      end
+
+      if claims['sub'] != client_id
+        add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `sub` claim: " \
+                             "expected '#{client_id}', got '#{claims['sub']}'")
+      end
+
+      if claims['aud'] != client_token_url
+        add_message('error', "client assertion jwt on token request #{request_num} has an incorrect `aud` claim: " \
+                             "expected '#{client_token_url}', got '#{claims['aud']}'")
+      end
+
+      if claims['exp'].blank?
+        add_message('error', "client assertion jwt on token request #{request_num} is missing the `exp` claim.")
+      end
+
+      if claims['jti'].blank?
+        add_message('error', "client assertion jwt on token request #{request_num} is missing the `jti` claim.")
+      elsif jti_list.include?(claims['jti'])
+        add_message('error', "client assertion jwt on token request #{request_num} has a `jti` claim that was " \
+                             "previouly used: '#{claims['jti']}'.")
+      else
+        jti_list << claims['jti']
+      end
+    end
+
+    def check_jwt_signature(encoded_token, request_num)
+      error = MockSMARTServer.smart_assertion_signature_verification(encoded_token, smart_jwk_set)
+
+      return unless error.present?
+
+      add_message('error', "Signature validation failed on token request #{request_num}: #{error}")
+    end
+
+    def extract_token_from_response(request)
+      return unless request.status == 200
+
+      JSON.parse(request.response_body)&.dig('access_token')
+    rescue
+      nil
+    end
+  end
+end

data/lib/smart_app_launch/client_suite/client_token_use_verification_test.rb

@@ -0,0 +1,47 @@
+require_relative '../tags'
+require_relative '../endpoints/mock_smart_server'
+
+module SMARTAppLaunch
+  class SMARTClientTokenUseVerification < Inferno::Test
+
+    id :smart_client_token_use_verification
+    title 'Verify SMART Token Use'
+    description %(
+        Check that a SMART token returned to the client was used for request
+        authentication.
+      )
+
+    input :smart_tokens,
+          optional: true # verified in the test to return a more specific error message
+    input :smart_jwk_set,
+          optional: false,
+          locked: true
+
+    def access_request_tags
+      return config.options[:access_request_tags] if config.options[:access_request_tags].present?
+
+      [ACCESS_TAG]
+    end
+
+    run do
+      omit_if smart_jwk_set.blank?, # for re-use: mark the smart_jwk_set input as optional when importing to enable
+        'SMART Authentication not demonstrated as a part of this test session.'
+
+      access_requests = access_request_tags.map do |access_request_tag|
+        load_tagged_requests(access_request_tag).reject { |access| access.status == 401 }
+      end.flatten
+      obtained_tokens = smart_tokens&.split("\n")
+
+      skip_if obtained_tokens.blank?, 'No token requests made.'
+      skip_if access_requests.blank?, 'No successful access requests made.'
+
+      used_tokens = access_requests.map do |access_request|
+        access_request.request_headers.find do |header|
+          header.name.downcase == 'authorization'
+        end&.value&.delete_prefix('Bearer ')
+      end.compact
+
+      assert (used_tokens & obtained_tokens).present?, 'Returned tokens never used in any requests.'
+    end
+  end
+end

data/lib/smart_app_launch/docs/demo/FHIR Request.postman_collection.json

@@ -0,0 +1,81 @@
+{
+	"info": {
+		"_postman_id": "22f52416-c6ae-4ffc-a388-54616465d149",
+		"name": "FHIR Request",
+		"description": "Make a simple FHIR request with a specific bearer token. Useful for security client tests like SMART and UDAP.\n\n- base_url: points to a running instance of inferno. Typical values will be\n    \n    - Inferno production: [https://inferno.healthit.gov/suites](https://inferno.healthit.gov/suites)\n        \n    - Inferno QA: [https://inferno-qa.healthit.gov/suites](https://inferno-qa.healthit.gov/suites)\n        \n    - Local docker: [http://localhost](http://localhost)\n        \n    - Local development: [http://localhost:4567](http://localhost:4567)",
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
+		"_exporter_id": "32597978"
+	},
+	"item": [
+		{
+			"name": "Patient Read",
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{bearer_token}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{base_url}}/custom/{{target_suite}}/fhir/Patient/example",
+					"host": [
+						"{{base_url}}"
+					],
+					"path": [
+						"custom",
+						"{{target_suite}}",
+						"fhir",
+						"Patient",
+						"example"
+					]
+				}
+			},
+			"response": []
+		}
+	],
+	"event": [
+		{
+			"listen": "prerequest",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"exec": [
+					""
+				]
+			}
+		},
+		{
+			"listen": "test",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"exec": [
+					""
+				]
+			}
+		}
+	],
+	"variable": [
+		{
+			"key": "base_url",
+			"value": "https://inferno.healthit.gov/suites",
+			"type": "string"
+		},
+		{
+			"key": "target_suite",
+			"value": "smart_client_stu2_2",
+			"type": "string"
+		},
+		{
+			"key": "bearer_token",
+			"value": "",
+			"type": "string"
+		}
+	]
+}

data/lib/smart_app_launch/docs/smart_stu2_2_client_suite_description.md

@@ -0,0 +1,121 @@
+## Overview
+
+The SMART App Launch STU 2.2 Client Test Suite verifies the conformance of
+client systems to the STU 2.2.0 version of the HL7® FHIR®
+[SMART App Launch IG](https://hl7.org/fhir/smart-app-launch/STU2.2/).
+
+## Scope
+
+The SMART App Launch Client Test Suite verifies that systems correctly implement
+the [SMART App Launch IG](http://hl7.org/fhir/smart-app-launch/STU2.2/)
+for authorizating and/or authenticating with a server in order to gain 
+access to HL7® FHIR® APIs. At this time, the suite only contains tests for
+the [Backend Services](https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html)
+flow.
+
+These tests are a **DRAFT** intended to allow implementers to perform
+preliminary checks of their systems against SMART requirements and 
+[provide feedback](https://github.com/inferno-framework/smart-app-launch-test-kit/issues)
+on the tests. Future versions of these tests may verify other
+requirements and may change the test verification logic.
+
+## Test Methodology
+
+For these tests Inferno simulates a SMART server that supports the backend services
+flow. Testers will
+1. Provide registration details as inputs, including a JSON Web Key Set (JWKS)
+   an optionally a client id if a specific one should be used.
+2. Request an access token using the registered JWKS and client id.
+3. Use that access token on a FHIR API request.
+
+The simulated server is relatively permissive in the sense that it will often
+provide successful responses even when the request is not conformant. When
+requesting tokens, Inferno will return an access token as long as it can find
+the client id and the signature is valid. This allows incomplete systems to
+run the tests. However, these non-conformant requests will be flagged by
+the tests as failures so that systems will not pass the tests without being
+fully conformant.
+
+## Running the Tests
+
+### Quick Start
+
+The following inputs must be provided by the tester at a minimum to execute
+any tests in this suite:
+1. **SMART JSON Web Key Set (JWKS)**: The SMART client's public JSON Web Key Set including
+   key(s) that Inferno will use to verify the signature on incoming token requests. May
+   be provided as either a publicly accessible url containing the JWKS, or the raw JWKS.
+
+The *Additional Inputs* section below describes options available to customize
+the behavior of Inferno's server simulation.
+
+### Demonstration
+
+To try out these tests without a SMART client implementation, these tests can be exercised
+using the SMART App Launch server test suite and a simple HTTP request generator. The following
+steps use [Postman](https://www.postman.com/) to generate the access request using 
+[this collection](https://github.com/inferno-framework/smart-app-launch-test-kit/blob/main/lib/smart_app_launch/docs/demo/FHIR%20Request.postman_collection.json). Install the app and import the collection before following these
+steps.
+
+1. Start an instance of the SMART App Launch STU2.2 Client test suite.
+2. From the drop down in the upper left, select preset "Demo: Run Against the SMART Server Suite".
+3. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT"
+4. In a new tab, start an instance of the SMART App Launch STU2.2 Test Suite
+5. From the drop down in the upper left, select preset "Demo: Run Against the SMART Client Suite"
+6. Select test group **3** Backend Services from the left panel, click the "RUN TESTS" button
+   in the upper right, and click "SUBMIT"
+7. Find the access token to use for the data access request by opening test **3.2.05** Authorization
+   request succeeds when supplied correct information, click on the "REQUESTS" tab, clicking on the "DETAILS"
+   button, and expanding the "Response Body". Copy the "access_token" value, which will be a ~100 character
+   string of letters and numbers (e.g., eyJjbGllbnRfaWQiOiJzbWFydF9jbGllbnRfdGVzdF9kZW1vIiwiZXhwaXJhdGlvbiI6MTc0MzUxNDk4Mywibm9uY2UiOiJlZDI5MWIwNmZhMTE4OTc4In0)
+8. Open Postman and open the "FHIR Request" Collection. Click the "Variables" tab and add the copied access token
+   as the current value of the `bearer_token` variable. Also update the
+   `base_url` value for where the test is running (see details on the "Overview" tab).
+   Save the collection.
+9. Select the "Patient Read" request and click "Send". A FHIR Patient resource should be returned.
+10. Return to the client tests and click the link to continue and complete the tests.
+
+The client tests should pass with the exception of test **1.2.02** Verify SMART Token Requests. This is
+expected as the Server tests make several intentionally invalid token requests. Inferno's simulated SMART
+server responds successfully to those requests when the client id can be identified, but flags them as
+not conformant causing these expected failures. Because responding with an access token to non-conformant
+token requests is itself not conformant there are corresponding failures on the server test in tests **3.2.02**,
+**3.2.04**, and **3.2.04**. There may be other SMART server test failures due to an assumption that
+servers support the app launch capabilities in addition to backend services.
+
+### Additional Inputs
+
+Two additional inputs are available to support testers 
+- **Client Id**: Testers may specify a client id for Inferno to use for the test session if they
+  have one already configured.
+- **FHIR Response to Echo**: The focus of this test kit is on the auth protocol, so the
+  simulated FHIR server implemented in this test suite is very simple and will by default
+  return a FHIR OperationOutcome to any request made. Testers may provide a static
+  FHIR JSON body for Inferno to return instead. In this case, the simulation is a simple
+  echo and Inferno does not check that the response if appropriate for the request made.
+
+## Current Limitations
+
+This test kit is still in draft form and does not test all of the requirements and features
+described in the SMART App Launch IG for clients. Notably, only the backend services flow
+is tested at this time.
+
+The following sections list other known gaps and limitations.
+
+### SMART Server Simulation Limitations
+
+This test suite contains a simulation of a SMART Backend Services server which is not fully
+general and not all conformant clients may be able to interact with it. However, the intention
+is not to prevent systems from passing for making conformant choices that Inferno's simulation
+does not support. One specific example is that the SMART configuration metadata available at
+`.well-known/smart-configuration` for the simulated server is fixed and cannot be changed by
+testers at this time. Please report any issues that prevent conformant systems from passing in
+the [github repository's issues page](https://github.com/inferno-framework/smart-app-launch-test-kit/issues/).
+
+### FHIR Server Simulation Limitations
+
+The FHIR server simulation used to support clients in demonstrating their ability to access
+FHIR APIs using access tokens obtained using the SMART flows is very limited. Testers are currently
+able to provide a single static response that will be echoed for any FHIR request made. While
+Inferno will never implement a fully general FHIR server simulation, additional options may be added
+in the future based on community feedback.

data/lib/smart_app_launch/endpoints/echoing_fhir_responder.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative '../urls'
+require_relative '../tags'
+require_relative 'mock_smart_server'
+
+module SMARTAppLaunch
+  class EchoingFHIRResponderEndpoint < Inferno::DSL::SuiteEndpoint
+    def test_run_identifier
+      MockSMARTServer.token_to_client_id(request.headers['authorization']&.delete_prefix('Bearer '))
+    end
+
+    def make_response
+      return if response.status == 401 # set in update_result (expired token handling there)
+
+      response.content_type = 'application/fhir+json'
+
+      # If the tester provided a response, echo it
+      # otherwise, operation outcome
+      echo_response = JSON.parse(result.input_json)
+        .find { |input| input['name'].include?('echoed_fhir_response') }
+        &.dig('value')
+
+      unless echo_response.present?
+        response.status = 400
+        response.body = FHIR::OperationOutcome.new(
+          issue: FHIR::OperationOutcome::Issue.new(
+            severity: 'fatal', code: 'required',
+            details: FHIR::CodeableConcept.new(text: 'No response provided to echo.')
+          )
+        ).to_json
+        return
+      end
+
+      response.status = 200
+      response.body = echo_response
+    end
+
+    def update_result
+      if MockSMARTServer.request_has_expired_token?(request)
+        MockSMARTServer.update_response_for_expired_token(response)
+        return
+      end
+
+      nil # never update for now
+    end
+
+    def tags
+      [ACCESS_TAG]
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server/token.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative '../../urls'
+require_relative '../../tags'
+require_relative '../mock_smart_server'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    class TokenEndpoint < Inferno::DSL::SuiteEndpoint
+      def test_run_identifier
+        MockSMARTServer.client_id_from_client_assertion(request.params[:client_assertion])
+      end
+
+      def make_response
+        MockSMARTServer.make_smart_token_response(request, response, result)
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [TOKEN_TAG, SMART_TAG]
+      end
+    end
+  end
+end

data/lib/smart_app_launch/endpoints/mock_smart_server.rb

@@ -0,0 +1,217 @@
+require 'jwt'
+require 'faraday'
+require 'time'
+require_relative '../urls'
+require_relative '../tags'
+
+module SMARTAppLaunch
+  module MockSMARTServer
+    SUPPORTED_SCOPES = ['openid', 'system/*.read', 'user/*.read', 'patient/*.read'].freeze
+
+    module_function
+
+    def smart_server_metadata(suite_id)
+      base_url = "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      response_body = {
+        token_endpoint_auth_signing_alg_values_supported: ['RS384', 'ES384'],
+        capabilities: ['client-confidential-asymmetric'],
+        code_challenge_methods_supported: ['S256'],
+        token_endpoint_auth_methods_supported: ['private_key_jwt'],
+        issuer: base_url + FHIR_PATH,
+        grant_types_supported: ['client_credentials'],
+        scopes_supported: SUPPORTED_SCOPES,
+        token_endpoint: base_url + TOKEN_PATH
+      }.to_json
+
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
+    end
+
+    def make_smart_token_response(request, response, result)
+      assertion = request.params[:client_assertion]
+      client_id = client_id_from_client_assertion(assertion)
+
+      key_set_input = JSON.parse(result.input_json)&.find do |input|
+        input['name'] == 'smart_jwk_set'
+      end&.dig('value')
+      signature_error = smart_assertion_signature_verification(assertion, key_set_input)
+
+      if signature_error.present?
+        update_response_for_invalid_assertion(response, signature_error)
+        return
+      end
+
+      exp_min = 60
+      response_body = {
+        access_token: client_id_to_token(client_id, exp_min),
+        token_type: 'Bearer',
+        expires_in: 60 * exp_min,
+        scope: request.params[:scope]
+      }
+
+      response.body = response_body.to_json
+      response.headers['Cache-Control'] = 'no-store'
+      response.headers['Pragma'] = 'no-cache'
+      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.content_type = 'application/json'
+      response.status = 200
+    end
+
+    def client_id_from_client_assertion(client_assertion_jwt)
+      return unless client_assertion_jwt.present?
+
+      jwt_claims(client_assertion_jwt)&.dig('iss')
+    end
+
+    def parsed_request_body(request)
+      JSON.parse(request.request_body)
+    rescue JSON::ParserError
+      nil
+    end
+
+    def parsed_io_body(request)
+      parsed_body = begin
+        JSON.parse(request.body.read)
+      rescue JSON::ParserError
+        nil
+      end
+      request.body.rewind
+
+      parsed_body
+    end
+
+    def jwt_claims(encoded_jwt)
+      JWT.decode(encoded_jwt, nil, false)[0]
+    end
+
+    def client_uri_to_client_id(client_uri)
+      Base64.urlsafe_encode64(client_uri, padding: false)
+    end
+
+    def client_id_to_client_uri(client_id)
+      Base64.urlsafe_decode64(client_id)
+    end
+
+    def client_id_to_token(client_id, exp_min)
+      token_structure = {
+        client_id:,
+        expiration: exp_min.minutes.from_now.to_i,
+        nonce: SecureRandom.hex(8)
+      }.to_json
+
+      Base64.urlsafe_encode64(token_structure, padding: false)
+    end
+
+    def decode_token(token)
+      JSON.parse(Base64.urlsafe_decode64(token))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def token_to_client_id(token)
+      decode_token(token)&.dig('client_id')
+    end
+
+    def jwk_set(jku, warning_messages = []) # rubocop:disable Metrics/CyclomaticComplexity
+      jwk_set = JWT::JWK::Set.new
+
+      if jku.blank?
+        warning_messages << 'No key set input.'
+        return jwk_set
+      end
+
+      jwk_body = # try as raw jwk set
+        begin
+          JSON.parse(jku)
+        rescue JSON::ParserError
+          nil
+        end
+
+      if jwk_body.blank?
+        retrieved = Faraday.get(jku) # try as url pointing to a jwk set
+        jwk_body =
+          begin
+            JSON.parse(retrieved.body)
+          rescue JSON::ParserError
+            warning_messages << "Failed to fetch valid json from jwks uri #{jwk_set}."
+            nil
+          end
+      else
+        warning_messages << 'Providing the JWK Set directly is strongly discouraged.'
+      end
+
+      return jwk_set if jwk_body.blank?
+
+      jwk_body['keys']&.each_with_index do |key_hash, index|
+        parsed_key =
+          begin
+            JWT::JWK.new(key_hash)
+          rescue JWT::JWKError => e
+            id = key_hash['kid'] | index
+            warning_messages << "Key #{id} invalid: #{e}"
+            nil
+          end
+        jwk_set << parsed_key unless parsed_key.blank?
+      end
+
+      jwk_set
+    end
+
+    def request_has_expired_token?(request)
+      return false if request.params[:session_path].present?
+
+      token = request.headers['authorization']&.delete_prefix('Bearer ')
+      decoded_token = decode_token(token)
+      return false unless decoded_token&.dig('expiration').present?
+
+      decoded_token['expiration'] < Time.now.to_i
+    end
+
+    def update_response_for_expired_token(response)
+      response.status = 401
+      response.format = :json
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'expired',
+                                                 details: FHIR::CodeableConcept.new(text: 'Bearer token has expired'))
+      ).to_json
+    end
+
+    def smart_assertion_signature_verification(token, key_set_input) # rubocop:disable Metrics/CyclomaticComplexity
+      encoded_token = nil
+      if token.is_a?(JWT::EncodedToken)
+        encoded_token = token
+      else
+        begin
+          encoded_token = JWT::EncodedToken.new(token)
+        rescue StandardError => e
+          return "invalid token structure: #{e}"
+        end
+      end
+      return 'invalid token' unless encoded_token.present?
+      return 'missing `alg` header' if encoded_token.header['alg'].blank?
+      return 'missing `kid` header' if encoded_token.header['kid'].blank?
+
+      jwk = identify_smart_signing_key(encoded_token.header['kid'], encoded_token.header['jku'], key_set_input)
+      return "no key found with `kid` '#{encoded_token.header['kid']}'" if jwk.blank?
+
+      begin
+        encoded_token.verify_signature!(algorithm: encoded_token.header['alg'], key: jwk.verify_key)
+      rescue StandardError => e
+        return e
+      end
+
+      nil
+    end
+
+    def identify_smart_signing_key(kid, jku, key_set_input)
+      key_set = jku.present? ? jku : key_set_input
+      parsed_key_set = jwk_set(key_set)
+      parsed_key_set&.find { |key| key.kid == kid }
+    end
+
+    def update_response_for_invalid_assertion(response, error_message)
+      response.status = 401
+      response.format = :json
+      response.body = { error: 'invalid_client', error_description: error_message }.to_json
+    end
+  end
+end

data/lib/smart_app_launch/metadata.rb

@@ -64,12 +64,12 @@ module SMARTAppLaunch
       section](https://github.com/inferno-framework/smart-app-launch-test-kit/issues)
       of the repository.
     DESCRIPTION
-    suite_ids [:smart, :smart_stu2, :smart_stu2_2, :smart_access_brands]
+    suite_ids [:smart, :smart_stu2, :smart_stu2_2, :smart_access_brands, :smart_client_stu2_2]
     tags ['SMART App Launch', 'Endpoint Publication']
     last_updated LAST_UPDATED
     version VERSION
     maturity 'Medium'
-    authors ['Stephen MacVicar']
+    authors ['Stephen MacVicar', 'Karl Naden']
     repo 'https://github.com/inferno-framework/smart-app-launch-test-kit'
   end
 end

data/lib/smart_app_launch/smart_stu2_2_suite.rb

@@ -262,7 +262,8 @@ module SMARTAppLaunch
                 smart_auth_info: { name: :backend_services_smart_auth_info }
               },
               outputs: {
-                smart_auth_info: { name: :backend_services_smart_auth_info }
+                smart_auth_info: { name: :backend_services_smart_auth_info },
+                received_scopes: { name: :backend_services_received_scopes }
               }
             }
     end

data/lib/smart_app_launch/smart_stu2_suite.rb

@@ -260,7 +260,8 @@ module SMARTAppLaunch
                 smart_auth_info: { name: :backend_services_smart_auth_info }
               },
               outputs: {
-                smart_auth_info: { name: :backend_services_smart_auth_info }
+                smart_auth_info: { name: :backend_services_smart_auth_info },
+                received_scopes: { name: :backend_services_received_scopes }
               }
             }
     end

data/lib/smart_app_launch/tags.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module SMARTAppLaunch
+  TOKEN_TAG = 'token'
+  SMART_TAG = 'smart'
+  ACCESS_TAG = 'access'
+end

data/lib/smart_app_launch/token_introspection_response_group.rb

@@ -53,7 +53,7 @@ module SMARTAppLaunch
         introspection response and should match the claim in the ID token
       )
 
-      input :standalone_smart_auth_info, type: :auth_info, options: { mode: 'auth' }
+      input :standalone_smart_auth_info, type: :auth_info, options: { mode: 'access' }
 
       input :standalone_received_scopes,
             title: 'Expected Introspection Response Value: scope',

data/lib/smart_app_launch/urls.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module SMARTAppLaunch
+  FHIR_PATH = '/fhir'
+  RESUME_PASS_PATH = '/resume_pass'
+  RESUME_FAIL_PATH = '/resume_fail'
+  AUTH_SERVER_PATH = '/auth'
+  SMART_DISCOVERY_PATH = "#{FHIR_PATH}/.well-known/smart-configuration".freeze
+  TOKEN_PATH = "#{AUTH_SERVER_PATH}/token".freeze
+
+  module URLs
+    def client_base_url
+      @client_base_url ||= "#{Inferno::Application['base_url']}/custom/#{client_suite_id}"
+    end
+
+    def client_fhir_base_url
+      @client_fhir_base_url ||= client_base_url + FHIR_PATH
+    end
+
+    def client_resume_pass_url
+      @client_resume_pass_url ||= client_base_url + RESUME_PASS_PATH
+    end
+
+    def client_resume_fail_url
+      @client_resume_fail_url ||= client_base_url + RESUME_FAIL_PATH
+    end
+
+    def client_smart_discovery_url
+      @client_smart_discovery_url ||= client_base_url + SMART_DISCOVERY_PATH
+    end
+
+    def client_token_url
+      @client_token_url ||= client_base_url + TOKEN_PATH
+    end
+
+    def client_suite_id
+      SMARTAppLaunch::SMARTClientSTU22Suite.id
+    end
+  end
+end

data/lib/smart_app_launch/version.rb

@@ -1,4 +1,4 @@
 module SMARTAppLaunch
-  VERSION = '0.6.0'.freeze
-  LAST_UPDATED = '2025-03-14'.freeze
+  VERSION = '0.6.1'.freeze
+  LAST_UPDATED = '2025-04-07'.freeze
 end

data/lib/smart_app_launch_test_kit.rb

@@ -5,3 +5,4 @@ require_relative 'smart_app_launch/smart_stu1_suite'
 require_relative 'smart_app_launch/smart_stu2_suite'
 require_relative 'smart_app_launch/smart_stu2_2_suite'
 require_relative 'smart_app_launch/smart_access_brands_suite'
+require_relative 'smart_app_launch/client_stu2_2_suite'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_app_launch_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.1
 platform: ruby
 authors:
 - Stephen MacVicar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-14 00:00:00.000000000 Z
+date: 2025-04-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -145,6 +145,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - LICENSE
+- config/presets/SMART_RunClientAgainstServer.json.erb
+- config/presets/SMART_RunServerAgainstClient.json.erb
 - config/presets/inferno_reference_server_preset.json
 - config/presets/inferno_reference_server_stu2_2_preset.json
 - config/presets/inferno_reference_server_stu2_preset.json
@@ -164,6 +166,13 @@ files:
 - lib/smart_app_launch/backend_services_invalid_grant_type_test.rb
 - lib/smart_app_launch/backend_services_invalid_jwt_test.rb
 - lib/smart_app_launch/client_assertion_builder.rb
+- lib/smart_app_launch/client_stu2_2_suite.rb
+- lib/smart_app_launch/client_suite/client_access_group.rb
+- lib/smart_app_launch/client_suite/client_access_interaction_test.rb
+- lib/smart_app_launch/client_suite/client_registration_group.rb
+- lib/smart_app_launch/client_suite/client_registration_verification_test.rb
+- lib/smart_app_launch/client_suite/client_token_request_verification_test.rb
+- lib/smart_app_launch/client_suite/client_token_use_verification_test.rb
 - lib/smart_app_launch/code_received_test.rb
 - lib/smart_app_launch/cors_metadata_request_test.rb
 - lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb
@@ -172,9 +181,14 @@ files:
 - lib/smart_app_launch/discovery_stu1_group.rb
 - lib/smart_app_launch/discovery_stu2_2_group.rb
 - lib/smart_app_launch/discovery_stu2_group.rb
+- lib/smart_app_launch/docs/demo/FHIR Request.postman_collection.json
+- lib/smart_app_launch/docs/smart_stu2_2_client_suite_description.md
 - lib/smart_app_launch/ehr_launch_group.rb
 - lib/smart_app_launch/ehr_launch_group_stu2.rb
 - lib/smart_app_launch/ehr_launch_group_stu2_2.rb
+- lib/smart_app_launch/endpoints/echoing_fhir_responder.rb
+- lib/smart_app_launch/endpoints/mock_smart_server.rb
+- lib/smart_app_launch/endpoints/mock_smart_server/token.rb
 - lib/smart_app_launch/jwks.rb
 - lib/smart_app_launch/launch_received_test.rb
 - lib/smart_app_launch/metadata.rb
@@ -207,6 +221,7 @@ files:
 - lib/smart_app_launch/standalone_launch_group.rb
 - lib/smart_app_launch/standalone_launch_group_stu2.rb
 - lib/smart_app_launch/standalone_launch_group_stu2_2.rb
+- lib/smart_app_launch/tags.rb
 - lib/smart_app_launch/token_exchange_stu2_2_test.rb
 - lib/smart_app_launch/token_exchange_stu2_test.rb
 - lib/smart_app_launch/token_exchange_test.rb
@@ -226,6 +241,7 @@ files:
 - lib/smart_app_launch/token_response_body_test_stu2_2.rb
 - lib/smart_app_launch/token_response_headers_test.rb
 - lib/smart_app_launch/url_helpers.rb
+- lib/smart_app_launch/urls.rb
 - lib/smart_app_launch/version.rb
 - lib/smart_app_launch/well_known_capabilities_stu1_test.rb
 - lib/smart_app_launch/well_known_capabilities_stu2_test.rb