udap_security_test_kit 0.11.1 → 0.11.3

data/lib/udap_security_test_kit/docs/udap_client_suite_description.md

@@ -0,0 +1,120 @@
+## Overview
+
+The UDAP Security Client Test Suite verifies the conformance of
+client systems to the STU 1.0.0 version of the HL7® FHIR®
+[Security for Scalable Registration, Authentication, and Authorization (UDAP Security) FHIR IG](https://hl7.org/fhir/us/udap-security/STU1/).
+
+## Scope
+
+The UDAP Security Client Test Suite verifies that systems correctly implement
+the [UDAP Security IG](https://hl7.org/fhir/us/udap-security/STU1/)
+for authorizating and/or authenticating with a server in order to gain 
+access to HL7® FHIR® APIs. At this time, the suite only contains tests for
+the [Business-to-Business Client Credentials flow](https://hl7.org/fhir/us/udap-security/STU1/b2b.html).
+
+These tests are a **DRAFT** intended to allow implementers to perform
+preliminary checks of their systems against UDAP Security IG
+and [provide feedback](https://github.com/inferno-framework/udap-security-test-kit/issues)
+on the tests. Future versions of these tests may verify other
+requirements and may change the test verification logic.
+
+## Test Methodology
+
+For these tests Inferno simulates a UDAP server that supports the business-to-business
+client credentials flow. Testers will
+1. Provide to Inferno the client URI with which they will register their system.
+2. Make a dynamic registration request to Inferno using the provided client URI
+   and including the X.509 certificate used to sign the registeration and subsequent
+   token requests which must also have the client URI as a Subject Alternative Name (SAN)
+   value in the certificate.
+3. Obtain an access token with a request using the client Id returned during registration
+   and signed using same X.509 certificate supplied during registration.
+4. Use that access token on a FHIR API request.
+
+The simulated UDAP server is relatively permissive in the sense that it will often
+provide successful responses even when the request is not conformant. When
+requesting tokens, Inferno will return an access token as long as it can find
+the client id and the signature is valid. This allows incomplete systems to
+run the tests. However, these non-conformant requests will be flagged by
+the tests as failures so that systems will not pass the tests without being
+fully conformant.
+
+## Running the Tests
+
+### Quick Start
+
+The following inputs must be provided by the tester at a minimum to execute
+any tests in this suite:
+1. **UDAP Client URI**: The UDAP Client URI that will be used to register with
+   Inferno's simulated UDAP server.
+
+The *Additional Inputs* section below describes options available to customize
+the behavior of Inferno's server simulation.
+
+### Demonstration
+
+To try out these tests without a UDAP client implementation, these tests can be exercised
+using the UDAP Security server test suite and a simple HTTP request generator. The following
+steps use [Postman](https://www.postman.com/) to generate the access request using 
+[this collection](https://github.com/inferno-framework/udap-security-test-kit/blob/main/lib/udap_security_test_kit/docs/demo/FHIR%20Request.postman_collection.json).
+Install the app and import the collection before following these steps.
+
+1. Start an instance of the UDAP Security Client test suite.
+2. From the drop down in the upper left, select preset "Demo: Run Against the UDAP Security Server Suite".
+3. Click the "RUN ALL TESTS" button in the upper right and click "SUBMIT"
+4. In a new tab, start an instance of the UDAP Security Server Test Suite
+5. From the drop down in the upper left, select preset "Demo: Run Against the UDAP Security Client Suite"
+6. Select test group **2** UDAP Client Credentials Flow from the left panel, click the "RUN ALL TESTS" button
+   in the upper right, and click "SUBMIT"
+7. In the Client suite tab, click the link in the wait dialog to continue the tests.
+8. In the Server suite tab, find the access token to use for the data access request by opening
+   test **2.3.01** OAuth token exchange request succeeds when supplied correct information, click
+   on the "REQUESTS" tab, clicking on the "DETAILS" button, and expanding the "Response Body".
+   Copy the "access_token" value, which will be a ~100 character string of letters and numbers (e.g., eyJjbGllbnRfaWQiOiJzbWFydF9jbGllbnRfdGVzdF9kZW1vIiwiZXhwaXJhdGlvbiI6MTc0MzUxNDk4Mywibm9uY2UiOiJlZDI5MWIwNmZhMTE4OTc4In0)
+9. Open Postman and open the "FHIR Request" Collection. Click the "Variables" tab and add the
+   copied access token as the current value of the `bearer_token` variable. Also update the
+   `base_url` value for where the test is running (see details on the "Overview" tab).
+   Save the collection.
+10. Select the "Patient Read" request and click "Send". A FHIR Patient resource should be returned.
+11. Return to the client tests and click the link to continue and complete the tests.
+
+The client tests should pass. On the server side some of the registration tests will fail. This is
+expected as the Server tests make several intentionally invalid token requests. Inferno's simulated UDAP
+server responds successfully to those requests when the client id can be identified, but flags them as
+not conformant causing these expected failures. Because responding successfully to non-conformant
+registration requests is itself not conformant there are corresponding failures on the server test.
+
+### Additional Inputs
+
+One additional input is available to support testers 
+- **FHIR Response to Echo**: The focus of this test kit is on the auth protocol, so the
+  simulated FHIR server implemented in this test suite is very simple and will by default
+  return a FHIR OperationOutcome to any request made. Testers may provide a static
+  FHIR JSON body for Inferno to return instead. In this case, the simulation is a simple
+  echo and Inferno does not check that the response if appropriate for the request made.
+
+## Current Limitations
+
+This test kit is still in draft form and does not test all of the requirements and features
+described in the UDAP Security IG for clients. Notably, only the B2B client credentials flow
+is tested at this time.
+
+The following sections list other known gaps and limitations.
+
+### UDAP Server Simulation Limitations
+
+This test suite contains a simulation of a UDAP server which is not fully
+general and not all conformant clients may be able to interact with it. One
+specific example is that the UDAP configuration metadata available at
+`.well-known/udap` for the simulated server is fixed and cannot be changed by
+testers at this time. Despite the current limitations, the intention is for Inferno to
+support a variety of conformant choices, so please report issues that prevent conformant
+systems from passing in the [github repository's issues page](https://github.com/inferno-framework/udap-security-test-kit/issues/).
+
+### FHIR Server Simulation Limitations
+
+The FHIR server simulation used to support clients in demonstrating their ability to access
+FHIR APIs using access tokens obtained using the UDAP flows is very limited. Testers are currently
+able to provide a single static response that will be echoed for any FHIR request made. While
+Inferno will never implement a fully general FHIR server simulation, additional options may be added
+in the future based on community feedback.

data/lib/udap_security_test_kit/endpoints/echoing_fhir_responder.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative '../urls'
+require_relative '../tags'
+require_relative 'mock_udap_server'
+
+module UDAPSecurityTestKit
+  class EchoingFHIRResponderEndpoint < Inferno::DSL::SuiteEndpoint
+    def test_run_identifier
+      MockUDAPServer.token_to_client_id(request.headers['authorization']&.delete_prefix('Bearer '))
+    end
+
+    def make_response
+      return if response.status == 401 # set in update_result (expired token handling there)
+
+      response.content_type = 'application/fhir+json'
+
+      # If the tester provided a response, echo it
+      # otherwise, operation outcome
+      echo_response = JSON.parse(result.input_json)
+        .find { |input| input['name'].include?('echoed_fhir_response') }
+        &.dig('value')
+
+      unless echo_response.present?
+        response.status = 400
+        response.body = FHIR::OperationOutcome.new(
+          issue: FHIR::OperationOutcome::Issue.new(
+            severity: 'fatal', code: 'required',
+            details: FHIR::CodeableConcept.new(text: 'No response provided to echo.')
+          )
+        ).to_json
+        return
+      end
+
+      response.status = 200
+      response.body = echo_response
+    end
+
+    def update_result
+      if MockUDAPServer.request_has_expired_token?(request)
+        MockUDAPServer.update_response_for_expired_token(response)
+        return
+      end
+
+      nil # never update for now
+    end
+
+    def tags
+      [ACCESS_TAG]
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/registration.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require_relative '../../urls'
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    class RegistrationEndpoint < Inferno::DSL::SuiteEndpoint
+      def test_run_identifier
+        MockUDAPServer.client_uri_to_client_id(
+          client_uri_from_registration_payload(MockUDAPServer.parsed_io_body(request))
+        )
+      end
+
+      def make_response
+        parsed_body = MockUDAPServer.parsed_io_body(request)
+        client_id = MockUDAPServer.client_uri_to_client_id(client_uri_from_registration_payload(parsed_body))
+        ss_jwt = request_software_statement_jwt(parsed_body)
+
+        response_body = {
+          client_id:,
+          software_statement: ss_jwt
+        }
+        response_body.merge!(MockUDAPServer.jwt_claims(ss_jwt).except(['iss', 'sub', 'exp', 'iat', 'jti']))
+
+        response.body = response_body.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.content_type = 'application/json'
+        response.status = 201
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [REGISTRATION_TAG, UDAP_TAG]
+      end
+
+      private
+
+      def client_uri_from_registration_payload(reg_body)
+        software_statement_jwt = request_software_statement_jwt(reg_body)
+        return unless software_statement_jwt.present?
+
+        MockUDAPServer.jwt_claims(software_statement_jwt)&.dig('iss')
+      end
+
+      def request_software_statement_jwt(reg_body)
+        reg_body&.dig('software_statement')
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server/token.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative '../../urls'
+require_relative '../../tags'
+require_relative '../mock_udap_server'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    class TokenEndpoint < Inferno::DSL::SuiteEndpoint
+      def test_run_identifier
+        MockUDAPServer.client_id_from_client_assertion(request.params[:client_assertion])
+      end
+
+      def make_response
+        MockUDAPServer.make_udap_token_response(request, response, test_run.test_session_id)
+      end
+
+      def update_result
+        nil # never update for now
+      end
+
+      def tags
+        [TOKEN_TAG, UDAP_TAG]
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb

@@ -0,0 +1,301 @@
+require 'jwt'
+require 'faraday'
+require 'time'
+require_relative '../urls'
+require_relative '../tags'
+require_relative '../udap_jwt_builder'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    SUPPORTED_SCOPES = ['openid', 'system/*.read', 'user/*.read', 'patient/*.read'].freeze
+
+    module_function
+
+    def udap_server_metadata(suite_id)
+      base_url = "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      response_body = {
+        udap_versions_supported: ['1'],
+        udap_profiles_supported: ['udap_dcr', 'udap_authn', 'udap_authz'],
+        udap_authorization_extensions_supported: ['hl7-b2b'],
+        udap_authorization_extensions_required: [],
+        udap_certifications_supported: [],
+        udap_certifications_required: [],
+        grant_types_supported: ['client_credentials'],
+        scopes_supported: SUPPORTED_SCOPES,
+        token_endpoint: base_url + TOKEN_PATH,
+        token_endpoint_auth_methods_supported: ['private_key_jwt'],
+        token_endpoint_auth_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
+        registration_endpoint: base_url + REGISTRATION_PATH,
+        registration_endpoint_jwt_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
+        signed_metadata: udap_signed_metadata_jwt(base_url)
+      }.to_json
+
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
+    end
+
+    def make_udap_token_response(request, response, test_session_id)
+      assertion = request.params[:client_assertion]
+      client_id = client_id_from_client_assertion(assertion)
+
+      software_statement = udap_registration_software_statement(test_session_id)
+      signature_error = udap_token_signature_verification(assertion, software_statement)
+
+      if signature_error.present?
+        update_response_for_invalid_assertion(response, signature_error)
+        return
+      end
+
+      exp_min = 60
+      response_body = {
+        access_token: client_id_to_token(client_id, exp_min),
+        token_type: 'Bearer',
+        expires_in: 60 * exp_min
+      }
+
+      response.body = response_body.to_json
+      response.headers['Cache-Control'] = 'no-store'
+      response.headers['Pragma'] = 'no-cache'
+      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.content_type = 'application/json'
+      response.status = 200
+    end
+
+    def udap_signed_metadata_jwt(base_url)
+      jwt_claim_hash = {
+        iss: base_url + FHIR_PATH,
+        sub: base_url + FHIR_PATH,
+        exp: 5.minutes.from_now.to_i,
+        iat: Time.now.to_i,
+        jti: SecureRandom.hex(32),
+        token_endpoint: base_url + TOKEN_PATH,
+        registration_endpoint: base_url + REGISTRATION_PATH
+      }.compact
+
+      UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        jwt_claim_hash,
+        test_kit_private_key,
+        'RS256',
+        [test_kit_cert]
+      )
+    end
+
+    def root_ca_cert
+      File.read(
+        ENV.fetch('UDAP_ROOT_CA_CERT_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'infernoCA.pem'))
+      )
+    end
+
+    def root_ca_private_key
+      File.read(
+        ENV.fetch('UDAP_CA_PRIVATE_KEY_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'infernoCA.key'))
+      )
+    end
+
+    def test_kit_cert
+      File.read(
+        ENV.fetch('UDAP_TEST_KIT_CERT_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'TestClient.pem'))
+      )
+    end
+
+    def test_kit_private_key
+      File.read(
+        ENV.fetch('UDAP_TEST_KIT_PRIVATE_KEY_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'TestClientPrivateKey.key'))
+      )
+    end
+
+    def parsed_request_body(request)
+      JSON.parse(request.request_body)
+    rescue JSON::ParserError
+      nil
+    end
+
+    def parsed_io_body(request)
+      parsed_body = begin
+        JSON.parse(request.body.read)
+      rescue JSON::ParserError
+        nil
+      end
+      request.body.rewind
+
+      parsed_body
+    end
+
+    def jwt_claims(encoded_jwt)
+      JWT.decode(encoded_jwt, nil, false)[0]
+    end
+
+    def client_uri_to_client_id(client_uri)
+      Base64.urlsafe_encode64(client_uri, padding: false)
+    end
+
+    def client_id_to_client_uri(client_id)
+      Base64.urlsafe_decode64(client_id)
+    end
+
+    def client_id_to_token(client_id, exp_min)
+      token_structure = {
+        client_id:,
+        expiration: exp_min.minutes.from_now.to_i,
+        nonce: SecureRandom.hex(8)
+      }.to_json
+
+      Base64.urlsafe_encode64(token_structure, padding: false)
+    end
+
+    def decode_token(token)
+      JSON.parse(Base64.urlsafe_decode64(token))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def token_to_client_id(token)
+      decode_token(token)&.dig('client_id')
+    end
+
+    def request_has_expired_token?(request)
+      return false if request.params[:session_path].present?
+
+      token = request.headers['authorization']&.delete_prefix('Bearer ')
+      decoded_token = decode_token(token)
+      return false unless decoded_token&.dig('expiration').present?
+
+      decoded_token['expiration'] < Time.now.to_i
+    end
+
+    def update_response_for_expired_token(response)
+      response.status = 401
+      response.format = :json
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'expired',
+                                                 details: FHIR::CodeableConcept.new(text: 'Bearer token has expired'))
+      ).to_json
+    end
+
+    def udap_reg_signature_verification(assertion_jwt)
+      assertion_body, assertion_header = JWT.decode(assertion_jwt, nil, false)
+      return 'missing `x5c` header' if assertion_header['x5c'].blank?
+
+      leaf_cert_der = Base64.decode64(assertion_header['x5c'].first)
+      leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
+
+      signature_error = udap_assertion_signature_verification(assertion_jwt, leaf_cert, assertion_header['alg'])
+      return signature_error if signature_error.present?
+
+      # check the certificate's SAN extension for the issuer name
+      issuer = assertion_body['iss']
+      begin
+        alt_names =
+          leaf_cert.extensions
+            .find { |extension| extension.oid == 'subjectAltName' }.value
+      rescue NoMethodError
+        return 'Could not find Subject Alternative Name extension in leaf certificate'
+      end
+      return if alt_names.include?("URI:#{issuer}")
+
+      "`iss` claim `#{issuer}` not found in Subject Alternative Name extension " \
+        "from the `x5c` JWT header: `#{alt_names}`"
+    end
+
+    def udap_token_signature_verification(assertion_jwt, registration_jwt)
+      _assertion_body, assertion_header = JWT.decode(assertion_jwt, nil, false)
+      return 'missing `x5c` header' if assertion_header['x5c'].blank?
+
+      leaf_cert_der = Base64.decode64(assertion_header['x5c'].first)
+      leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
+
+      signature_error = udap_assertion_signature_verification(assertion_jwt, leaf_cert, assertion_header['alg'])
+      return signature_error if signature_error.present?
+      return unless registration_jwt.present?
+
+      # check trust
+      _registration_body, registration_header = JWT.decode(registration_jwt, nil, false)
+      return if assertion_header['x5c'].first == registration_header['x5c'].first
+
+      'signing cert does not match registration cert'
+    end
+
+    def udap_assertion_signature_verification(assertion_jwt, signing_cert, algorithm)
+      return 'missing `alg` header' unless algorithm.present?
+
+      signature_validation_result = UDAPSecurityTestKit::UDAPJWTValidator.validate_signature(
+        assertion_jwt,
+        algorithm,
+        signing_cert
+      )
+      return if signature_validation_result[:success]
+
+      signature_validation_result[:error_message]
+    end
+
+    def udap_registration_software_statement(test_session_id)
+      registration_requests =
+        Inferno::Repositories::Requests.new.tagged_requests(test_session_id, [UDAP_TAG, REGISTRATION_TAG])
+      return unless registration_requests.present?
+
+      parsed_body = MockUDAPServer.parsed_request_body(registration_requests.last)
+      parsed_body&.dig('software_statement')
+    end
+
+    def update_response_for_invalid_assertion(response, error_message)
+      response.status = 401
+      response.format = :json
+      response.body = { error: 'invalid_client', error_description: error_message }.to_json
+    end
+
+    def client_id_from_client_assertion(client_assertion_jwt)
+      return unless client_assertion_jwt.present?
+
+      jwt_claims(client_assertion_jwt)&.dig('iss')
+    end
+
+    def check_jwt_timing(issue_claim, expiration_claim, request_time) # rubocop:disable Metrics/CyclomaticComplexity
+      add_message('error', 'Registration software statement `iat` claim is missing') unless issue_claim.present?
+      add_message('error', 'Registration software statement `exp` claim is missing') unless expiration_claim.present?
+      return unless issue_claim.present? && expiration_claim.present?
+
+      unless issue_claim.is_a?(Numeric)
+        add_message('error',
+                    "Registration software statement `iat` claim is invalid: expected a number, got '#{issue_claim}'")
+      end
+      unless expiration_claim.is_a?(Numeric)
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    "expected a number, got '#{expiration_claim}'")
+      end
+      return unless issue_claim.is_a?(Numeric) && expiration_claim.is_a?(Numeric)
+
+      issue_time = Time.at(issue_claim)
+      expiration_time = Time.at(expiration_claim)
+      unless expiration_time > issue_time
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    'cannot be before the `iat` claim.')
+      end
+      unless expiration_time <= issue_time + 5.minutes
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    'cannot be more than 5 minutes after the `iat` claim.')
+      end
+      unless issue_time <= request_time
+        add_message('error',
+                    'Registration software statement `iat` claim is invalid: ' \
+                    'cannot be after the request time.')
+      end
+      unless expiration_time > request_time
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    'it has expired.')
+      end
+
+      nil
+    end
+  end
+end

data/lib/udap_security_test_kit/metadata.rb

@@ -3,9 +3,9 @@ require_relative 'version'
 module UDAPSecurityTestKit
   class Metadata < Inferno::TestKit
     id :udap_security
-    title 'UDAP Security'
+    title 'UDAP Security Test Kit'
     description <<~DESCRIPTION
-      This is a collection of tests to verify server conformance to the [HL7 UDAP Security
+      This is a collection of tests to verify client and server conformance to the [HL7 UDAP Security
       STU 1.0 IG](https://hl7.org/fhir/us/udap-security/STU1/index.html)
       <!-- break -->
       Specifically, this test
@@ -14,16 +14,16 @@ module UDAPSecurityTestKit
       - [Discovery](https://hl7.org/fhir/us/udap-security/STU1/discovery.html)
       - [Dynamic Client Registration](https://hl7.org/fhir/us/udap-security/STU1/registration.html)
       - [Consumer-Facing Authorization & Authentication](https://hl7.org/fhir/us/udap-security/STU1/consumer.html)
+        (server only)
       - [Business-to-Business (B2B) Authorization & Authentication](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
 
       [Tiered OAuth for User
       Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html) is not a
       required capability and is not assessed.
-      This test kit also does not assess client conformance.
     DESCRIPTION
-    suite_ids [:udap_security]
+    suite_ids [:udap_security, :udap_security_client]
     tags ['UDAP Security']
-    last_updated '2025-01-09'
+    last_updated LAST_UPDATED
     version VERSION
     maturity 'Low'
     authors 'inferno@groups.mitre.org'

data/lib/udap_security_test_kit/tags.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module UDAPSecurityTestKit
+  REGISTRATION_TAG = 'registration'
+  TOKEN_TAG = 'token'
+  UDAP_TAG = 'udap'
+  ACCESS_TAG = 'access'
+end

data/lib/udap_security_test_kit/urls.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module UDAPSecurityTestKit
+  FHIR_PATH = '/fhir'
+  RESUME_PASS_PATH = '/resume_pass'
+  RESUME_FAIL_PATH = '/resume_fail'
+  AUTH_SERVER_PATH = '/auth'
+  UDAP_DISCOVERY_PATH = "#{FHIR_PATH}/.well-known/udap".freeze
+  TOKEN_PATH = "#{AUTH_SERVER_PATH}/token".freeze
+  REGISTRATION_PATH = "#{AUTH_SERVER_PATH}/register".freeze
+
+  module URLs
+    def client_base_url
+      @client_base_url ||= "#{Inferno::Application['base_url']}/custom/#{client_suite_id}"
+    end
+
+    def client_fhir_base_url
+      @client_fhir_base_url ||= client_base_url + FHIR_PATH
+    end
+
+    def client_resume_pass_url
+      @client_resume_pass_url ||= client_base_url + RESUME_PASS_PATH
+    end
+
+    def client_resume_fail_url
+      @client_resume_fail_url ||= client_base_url + RESUME_FAIL_PATH
+    end
+
+    def client_udap_discovery_url
+      @client_udap_discovery_url ||= client_base_url + UDAP_DISCOVERY_PATH
+    end
+
+    def client_token_url
+      @client_token_url ||= client_base_url + TOKEN_PATH
+    end
+
+    def client_registration_url
+      @client_registration_url ||= client_base_url + REGISTRATION_PATH
+    end
+
+    def client_suite_id
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+  end
+end

data/lib/udap_security_test_kit/version.rb

@@ -1,3 +1,4 @@
 module UDAPSecurityTestKit
-  VERSION = '0.11.1'.freeze
+  VERSION = '0.11.3'.freeze
+  LAST_UPDATED = '2025-04-07'.freeze
 end