udap_security_test_kit 0.11.2 → 0.11.4

data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb

@@ -0,0 +1,382 @@
+require 'jwt'
+require 'faraday'
+require 'time'
+require 'rack/utils'
+require_relative '../urls'
+require_relative '../tags'
+require_relative '../udap_jwt_builder'
+
+module UDAPSecurityTestKit
+  module MockUDAPServer
+    SUPPORTED_SCOPES = ['openid', 'system/*.read', 'user/*.read', 'patient/*.read'].freeze
+
+    module_function
+
+    def udap_server_metadata(suite_id)
+      base_url = "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      response_body = {
+        udap_versions_supported: ['1'],
+        udap_profiles_supported: ['udap_dcr', 'udap_authn', 'udap_authz'],
+        udap_authorization_extensions_supported: ['hl7-b2b'],
+        udap_authorization_extensions_required: [],
+        udap_certifications_supported: [],
+        udap_certifications_required: [],
+        grant_types_supported: ['authorization_code', 'client_credentials', 'refresh_token'],
+        scopes_supported: SUPPORTED_SCOPES,
+        registration_endpoint: base_url + REGISTRATION_PATH,
+        registration_endpoint_jwt_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
+        authorization_endpoint: base_url + AUTHORIZATION_PATH,
+        token_endpoint: base_url + TOKEN_PATH,
+        token_endpoint_auth_methods_supported: ['private_key_jwt'],
+        token_endpoint_auth_signing_alg_values_supported: ['RS256', 'RS384', 'ES384'],
+        signed_metadata: udap_signed_metadata_jwt(base_url)
+      }.to_json
+
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
+    end
+
+    def openid_connect_metadata(suite_id)
+      base_url = "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      response_body = {
+        issuer: base_url + FHIR_PATH,
+        authorization_endpoint: base_url + AUTHORIZATION_PATH,
+        token_endpoint: base_url + TOKEN_PATH,
+        jwks_uri: base_url + OIDC_JWKS_PATH,
+        response_types_supported: ['code', 'id_token', 'token id_token'],
+        subject_types_supported: ['pairwise', 'public'],
+        id_token_signing_alg_values_supported: ['RS256']
+      }.to_json
+
+      [200, { 'Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*' }, [response_body]]
+    end
+
+    def udap_signed_metadata_jwt(base_url)
+      jwt_claim_hash = {
+        iss: base_url + FHIR_PATH,
+        sub: base_url + FHIR_PATH,
+        exp: 5.minutes.from_now.to_i,
+        iat: Time.now.to_i,
+        jti: SecureRandom.hex(32),
+        token_endpoint: base_url + TOKEN_PATH,
+        authorization_endpoint: base_url + AUTHORIZATION_PATH,
+        registration_endpoint: base_url + REGISTRATION_PATH
+      }.compact
+
+      UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        jwt_claim_hash,
+        test_kit_private_key,
+        'RS256',
+        [test_kit_cert]
+      )
+    end
+
+    def root_ca_cert
+      File.read(
+        ENV.fetch('UDAP_ROOT_CA_CERT_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'infernoCA.pem'))
+      )
+    end
+
+    def root_ca_private_key
+      File.read(
+        ENV.fetch('UDAP_CA_PRIVATE_KEY_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'infernoCA.key'))
+      )
+    end
+
+    def test_kit_cert
+      File.read(
+        ENV.fetch('UDAP_TEST_KIT_CERT_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'TestClient.pem'))
+      )
+    end
+
+    def test_kit_private_key
+      File.read(
+        ENV.fetch('UDAP_TEST_KIT_PRIVATE_KEY_FILE',
+                  File.join(__dir__, '..',
+                            'certs', 'TestClientPrivateKey.key'))
+      )
+    end
+
+    def parsed_request_body(request)
+      JSON.parse(request.request_body)
+    rescue JSON::ParserError
+      nil
+    end
+
+    def parsed_io_body(request)
+      parsed_body = begin
+        JSON.parse(request.body.read)
+      rescue JSON::ParserError
+        nil
+      end
+      request.body.rewind
+
+      parsed_body
+    end
+
+    def jwt_claims(encoded_jwt)
+      JWT.decode(encoded_jwt, nil, false)[0]
+    end
+
+    def udap_client_uri_from_registration_payload(reg_body)
+      udap_claim_from_registration_payload(reg_body, 'iss')
+    end
+
+    def udap_claim_from_registration_payload(reg_body, claim_key)
+      software_statement_jwt = udap_software_statement_jwt(reg_body)
+      return unless software_statement_jwt.present?
+
+      jwt_claims(software_statement_jwt)&.dig(claim_key)
+    end
+
+    def udap_software_statement_jwt(reg_body)
+      reg_body&.dig('software_statement')
+    end
+
+    def client_uri_to_client_id(client_uri)
+      Base64.urlsafe_encode64(client_uri, padding: false)
+    end
+
+    def client_id_to_client_uri(client_id)
+      Base64.urlsafe_decode64(client_id)
+    end
+
+    def client_id_to_token(client_id, exp_min)
+      token_structure = {
+        client_id:,
+        expiration: exp_min.minutes.from_now.to_i,
+        nonce: SecureRandom.hex(8)
+      }.to_json
+
+      Base64.urlsafe_encode64(token_structure, padding: false)
+    end
+
+    def decode_token(token)
+      token_to_decode =
+        if issued_token_is_refresh_token(token)
+          refresh_token_to_authorization_code(token)
+        else
+          token
+        end
+      return unless token_to_decode.present?
+
+      JSON.parse(Base64.urlsafe_decode64(token))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def issued_token_to_client_id(token)
+      decode_token(token)&.dig('client_id')
+    end
+
+    def issued_token_is_refresh_token(token)
+      token.end_with?('_rt')
+    end
+
+    def authorization_code_to_refresh_token(code)
+      "#{code}_rt"
+    end
+
+    def refresh_token_to_authorization_code(refresh_token)
+      refresh_token[..-4]
+    end
+
+    def request_has_expired_token?(request)
+      return false if request.params[:session_path].present?
+
+      token = request.headers['authorization']&.delete_prefix('Bearer ')
+      token_expired?(token)
+    end
+
+    def token_expired?(token, check_time = nil)
+      decoded_token = decode_token(token)
+      return false unless decoded_token&.dig('expiration').present?
+
+      check_time = Time.now.to_i unless check_time.present?
+      decoded_token['expiration'] < check_time
+    end
+
+    def update_response_for_expired_token(response, type)
+      response.status = 401
+      response.format = :json
+      response.body = FHIR::OperationOutcome.new(
+        issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'expired',
+                                                 details: FHIR::CodeableConcept.new(text: "#{type}has expired"))
+      ).to_json
+    end
+
+    def udap_reg_signature_verification(assertion_jwt)
+      assertion_body, assertion_header = JWT.decode(assertion_jwt, nil, false)
+      return 'missing `x5c` header' if assertion_header['x5c'].blank?
+
+      leaf_cert_der = Base64.decode64(assertion_header['x5c'].first)
+      leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
+
+      signature_error = udap_assertion_signature_verification(assertion_jwt, leaf_cert, assertion_header['alg'])
+      return signature_error if signature_error.present?
+
+      # check the certificate's SAN extension for the issuer name
+      issuer = assertion_body['iss']
+      begin
+        alt_names =
+          leaf_cert.extensions
+            .find { |extension| extension.oid == 'subjectAltName' }.value
+      rescue NoMethodError
+        return 'Could not find Subject Alternative Name extension in leaf certificate'
+      end
+      return if alt_names.include?("URI:#{issuer}")
+
+      "`iss` claim `#{issuer}` not found in Subject Alternative Name extension " \
+        "from the `x5c` JWT header: `#{alt_names}`"
+    end
+
+    def udap_token_signature_verification(assertion_jwt, registration_jwt)
+      _assertion_body, assertion_header = JWT.decode(assertion_jwt, nil, false)
+      return 'missing `x5c` header' if assertion_header['x5c'].blank?
+
+      leaf_cert_der = Base64.decode64(assertion_header['x5c'].first)
+      leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
+
+      signature_error = udap_assertion_signature_verification(assertion_jwt, leaf_cert, assertion_header['alg'])
+      return signature_error if signature_error.present?
+      return unless registration_jwt.present?
+
+      # check trust
+      _registration_body, registration_header = JWT.decode(registration_jwt, nil, false)
+      return if assertion_header['x5c'].first == registration_header['x5c'].first
+
+      'signing cert does not match registration cert'
+    end
+
+    def udap_assertion_signature_verification(assertion_jwt, signing_cert, algorithm)
+      return 'missing `alg` header' unless algorithm.present?
+
+      signature_validation_result = UDAPSecurityTestKit::UDAPJWTValidator.validate_signature(
+        assertion_jwt,
+        algorithm,
+        signing_cert
+      )
+      return if signature_validation_result[:success]
+
+      signature_validation_result[:error_message]
+    end
+
+    def udap_registration_software_statement(test_session_id)
+      registration_requests =
+        Inferno::Repositories::Requests.new.tagged_requests(test_session_id, [UDAP_TAG, REGISTRATION_TAG])
+      return unless registration_requests.present?
+
+      parsed_body = MockUDAPServer.parsed_request_body(registration_requests.last)
+      parsed_body&.dig('software_statement')
+    end
+
+    def update_response_for_error(response, error_message)
+      response.status = 401
+      response.format = :json
+      response.body = { error: 'invalid_client', error_description: error_message }.to_json
+    end
+
+    def client_id_from_client_assertion(client_assertion_jwt)
+      return unless client_assertion_jwt.present?
+
+      jwt_claims(client_assertion_jwt)&.dig('iss')
+    end
+
+    def check_jwt_timing(issue_claim, expiration_claim, request_time) # rubocop:disable Metrics/CyclomaticComplexity
+      add_message('error', 'Registration software statement `iat` claim is missing') unless issue_claim.present?
+      add_message('error', 'Registration software statement `exp` claim is missing') unless expiration_claim.present?
+      return unless issue_claim.present? && expiration_claim.present?
+
+      unless issue_claim.is_a?(Numeric)
+        add_message('error',
+                    "Registration software statement `iat` claim is invalid: expected a number, got '#{issue_claim}'")
+      end
+      unless expiration_claim.is_a?(Numeric)
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    "expected a number, got '#{expiration_claim}'")
+      end
+      return unless issue_claim.is_a?(Numeric) && expiration_claim.is_a?(Numeric)
+
+      issue_time = Time.at(issue_claim)
+      expiration_time = Time.at(expiration_claim)
+      unless expiration_time > issue_time
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    'cannot be before the `iat` claim.')
+      end
+      unless expiration_time <= issue_time + 5.minutes
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    'cannot be more than 5 minutes after the `iat` claim.')
+      end
+      unless issue_time <= request_time
+        add_message('error',
+                    'Registration software statement `iat` claim is invalid: ' \
+                    'cannot be after the request time.')
+      end
+      unless expiration_time > request_time
+        add_message('error',
+                    'Registration software statement `exp` claim is invalid: ' \
+                    'it has expired.')
+      end
+
+      nil
+    end
+
+    def pkce_error(verifier, challenge, method)
+      if verifier.blank?
+        'pkce check failed: no verifier provided'
+      elsif challenge.blank?
+        'pkce check failed: no challenge code provided'
+      elsif method == 'S256'
+        return nil unless challenge != calculate_s256_challenge(verifier)
+
+        "invalid S256 pkce verifier: got '#{calculate_s256_challenge(verifier)}' " \
+          "expected '#{challenge}'"
+      else
+        "invalid pkce challenge method '#{method}'"
+      end
+    end
+
+    def pkce_valid?(verifier, challenge, method, response)
+      pkce_error = pkce_error(verifier, challenge, method)
+
+      if pkce_error.present?
+        update_response_for_error(response, pkce_error)
+        false
+      else
+        true
+      end
+    end
+
+    def calculate_s256_challenge(verifier)
+      Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
+    end
+
+    def authorization_request_for_code(code, test_session_id)
+      authorization_requests = Inferno::Repositories::Requests.new.tagged_requests(test_session_id, [AUTHORIZATION_TAG])
+      authorization_requests.find do |request|
+        location_header = request.response_headers.find { |header| header.name.downcase == 'location' }
+        if location_header.present? && location_header.value.present?
+          Rack::Utils.parse_query(URI(location_header.value)&.query)&.dig('code') == code
+        else
+          false
+        end
+      end
+    end
+
+    def authorization_code_request_details(inferno_request)
+      if inferno_request.verb.downcase == 'get'
+        Rack::Utils.parse_query(URI(inferno_request.url)&.query)
+      elsif inferno_request.verb.downcase == 'post'
+        Rack::Utils.parse_query(inferno_request.request_body)
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/metadata.rb

@@ -5,23 +5,23 @@ module UDAPSecurityTestKit
     id :udap_security
     title 'UDAP Security Test Kit'
     description <<~DESCRIPTION
-      This is a collection of tests to verify server conformance to the [HL7 UDAP Security
+      This is a collection of tests to verify client and server conformance to the [HL7 UDAP Security
       STU 1.0 IG](https://hl7.org/fhir/us/udap-security/STU1/index.html)
       <!-- break -->
       Specifically, this test
-      kit assesses the required capabilities from the following sections:
+      kit assesses the required capabilities for clients and servers from the following sections:
       - [JSON Web Token (JWT) Requirements](https://hl7.org/fhir/us/udap-security/STU1/index.html)
       - [Discovery](https://hl7.org/fhir/us/udap-security/STU1/discovery.html)
       - [Dynamic Client Registration](https://hl7.org/fhir/us/udap-security/STU1/registration.html)
       - [Consumer-Facing Authorization & Authentication](https://hl7.org/fhir/us/udap-security/STU1/consumer.html)
+        (server only)
       - [Business-to-Business (B2B) Authorization & Authentication](https://hl7.org/fhir/us/udap-security/STU1/b2b.html)
 
       [Tiered OAuth for User
       Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html) is not a
       required capability and is not assessed.
-      This test kit also does not assess client conformance.
     DESCRIPTION
-    suite_ids [:udap_security]
+    suite_ids [:udap_security, :udap_security_client]
     tags ['UDAP Security']
     last_updated LAST_UPDATED
     version VERSION

data/lib/udap_security_test_kit/tags.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module UDAPSecurityTestKit
+  REGISTRATION_TAG = 'registration'
+  AUTHORIZATION_TAG = 'authorization'
+  TOKEN_TAG = 'token'
+  UDAP_TAG = 'udap'
+  ACCESS_TAG = 'access'
+  CLIENT_CREDENTIALS_TAG = 'client_credentials'
+  AUTHORIZATION_CODE_TAG = 'authorization_code'
+  REFRESH_TOKEN_TAG = 'refresh_token'
+end

data/lib/udap_security_test_kit/urls.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module UDAPSecurityTestKit
+  FHIR_PATH = '/fhir'
+  OIDC_DISCOVERY_PATH = "#{FHIR_PATH}/.well-known/openid-configuration".freeze
+  OIDC_JWKS_PATH = "#{FHIR_PATH}/.well-known/jwks.json".freeze
+  UDAP_DISCOVERY_PATH = "#{FHIR_PATH}/.well-known/udap".freeze
+  AUTH_SERVER_PATH = '/auth'
+  REGISTRATION_PATH = "#{AUTH_SERVER_PATH}/register".freeze
+  AUTHORIZATION_PATH = "#{AUTH_SERVER_PATH}/authorization".freeze
+  TOKEN_PATH = "#{AUTH_SERVER_PATH}/token".freeze
+  RESUME_PASS_PATH = '/resume_pass'
+  RESUME_FAIL_PATH = '/resume_fail'
+
+  module URLs
+    def client_base_url
+      @client_base_url ||= "#{Inferno::Application['base_url']}/custom/#{client_suite_id}"
+    end
+
+    def client_fhir_base_url
+      @client_fhir_base_url ||= client_base_url + FHIR_PATH
+    end
+
+    def client_resume_pass_url
+      @client_resume_pass_url ||= client_base_url + RESUME_PASS_PATH
+    end
+
+    def client_resume_fail_url
+      @client_resume_fail_url ||= client_base_url + RESUME_FAIL_PATH
+    end
+
+    def client_udap_discovery_url
+      @client_udap_discovery_url ||= client_base_url + UDAP_DISCOVERY_PATH
+    end
+
+    def client_registration_url
+      @client_registration_url ||= client_base_url + REGISTRATION_PATH
+    end
+
+    def client_authorization_url
+      @client_authorization_url ||= client_base_url + AUTHORIZATION_PATH
+    end
+
+    def client_token_url
+      @client_token_url ||= client_base_url + TOKEN_PATH
+    end
+
+    def client_suite_id
+      UDAPSecurityTestKit::UDAPSecurityClientTestSuite.id
+    end
+  end
+end

data/lib/udap_security_test_kit/version.rb

@@ -1,4 +1,4 @@
 module UDAPSecurityTestKit
-  VERSION = '0.11.2'.freeze
-  LAST_UPDATED = '2025-03-11'.freeze
+  VERSION = '0.11.4'.freeze
+  LAST_UPDATED = '2025-05-02'.freeze
 end

data/lib/udap_security_test_kit.rb

@@ -1,3 +1,4 @@
+require_relative 'udap_security_test_kit/client_suite'
 require_relative 'udap_security_test_kit/authorization_code_group'
 require_relative 'udap_security_test_kit/client_credentials_group'
 require_relative 'udap_security_test_kit/redirect_uri'
@@ -6,7 +7,7 @@ require_relative 'udap_security_test_kit/metadata'
 module UDAPSecurityTestKit
   class Suite < Inferno::TestSuite
     id :udap_security
-    title 'UDAP Security'
+    title 'UDAP Security Server'
     description %(
       The User Data Access Protocol (UDAP) Security test kit verifies that systems correctly implement the
       [HL7 UDAP Security IG](http://hl7.org/fhir/us/udap-security/STU1/)
@@ -28,7 +29,7 @@ module UDAPSecurityTestKit
       Testers may test one or both flows based on their system under test.
 
       This test suite does NOT assess [Tiered OAuth for User Authentication](https://hl7.org/fhir/us/udap-security/STU1/user.html)
-      (which is not a required capability) or client conformance to the HL7 UDAP IG.
+      (which is not a required capability).
     )
 
     input_instructions %(
@@ -74,6 +75,11 @@ module UDAPSecurityTestKit
         type: 'download',
         label: 'Download',
         url: 'https://github.com/inferno-framework/udap-security-test-kit/releases/'
+      },
+      {
+        type: 'ig',
+        label: 'Implementation Guide',
+        url: 'https://hl7.org/fhir/us/udap-security/STU1/'
       }
     ]
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.11.2
+  version: 0.11.4
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-11 00:00:00.000000000 Z
+date: 2025-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core
@@ -48,6 +48,8 @@ extra_rdoc_files: []
 files:
 - LICENSE
 - config/presets/SureFhirIdentityMatchingDemo.json
+- config/presets/UDAP_RunClientAgainstServer.json.erb
+- config/presets/UDAP_RunServerAgainstClient.json.erb
 - lib/udap_security_test_kit.rb
 - lib/udap_security_test_kit/authorization_code_authentication_group.rb
 - lib/udap_security_test_kit/authorization_code_group.rb
@@ -62,10 +64,40 @@ files:
 - lib/udap_security_test_kit/client_credentials_authentication_group.rb
 - lib/udap_security_test_kit/client_credentials_group.rb
 - lib/udap_security_test_kit/client_credentials_token_exchange_test.rb
+- lib/udap_security_test_kit/client_suite.rb
+- lib/udap_security_test_kit/client_suite/access_ac_group.rb
+- lib/udap_security_test_kit/client_suite/access_ac_interaction_test.rb
+- lib/udap_security_test_kit/client_suite/access_cc_group.rb
+- lib/udap_security_test_kit/client_suite/access_cc_interaction_test.rb
+- lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb
+- lib/udap_security_test_kit/client_suite/client_descriptions.rb
+- lib/udap_security_test_kit/client_suite/client_options.rb
+- lib/udap_security_test_kit/client_suite/oidc_jwks.json
+- lib/udap_security_test_kit/client_suite/oidc_jwks.rb
+- lib/udap_security_test_kit/client_suite/registration_ac_group.rb
+- lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb
+- lib/udap_security_test_kit/client_suite/registration_cc_group.rb
+- lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb
+- lib/udap_security_test_kit/client_suite/registration_interaction_test.rb
+- lib/udap_security_test_kit/client_suite/registration_request_verification.rb
+- lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb
+- lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb
+- lib/udap_security_test_kit/client_suite/token_request_verification.rb
+- lib/udap_security_test_kit/client_suite/token_use_verification_test.rb
 - lib/udap_security_test_kit/common_assertions.rb
 - lib/udap_security_test_kit/default_cert_file_loader.rb
 - lib/udap_security_test_kit/discovery_group.rb
+- lib/udap_security_test_kit/docs/demo/FHIR Request.postman_collection.json
+- lib/udap_security_test_kit/docs/udap_client_suite_description.md
 - lib/udap_security_test_kit/dynamic_client_registration_group.rb
+- lib/udap_security_test_kit/endpoints/echoing_fhir_responder_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/authorization_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/registration_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/token_endpoint.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/udap_authorization_response_creation.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/udap_registration_response_creation.rb
+- lib/udap_security_test_kit/endpoints/mock_udap_server/udap_token_response_creation.rb
 - lib/udap_security_test_kit/grant_types_supported_field_test.rb
 - lib/udap_security_test_kit/igs/put_ig_package_dot_tgz_here
 - lib/udap_security_test_kit/metadata.rb
@@ -81,6 +113,7 @@ files:
 - lib/udap_security_test_kit/signed_metadata_field_test.rb
 - lib/udap_security_test_kit/signed_metadata_trust_verification_test.rb
 - lib/udap_security_test_kit/software_statement_builder.rb
+- lib/udap_security_test_kit/tags.rb
 - lib/udap_security_test_kit/token_endpoint_auth_methods_supported_field_test.rb
 - lib/udap_security_test_kit/token_endpoint_auth_signing_alg_values_supported_field_test.rb
 - lib/udap_security_test_kit/token_endpoint_field_test.rb
@@ -97,6 +130,7 @@ files:
 - lib/udap_security_test_kit/udap_request_builder.rb
 - lib/udap_security_test_kit/udap_versions_supported_field_test.rb
 - lib/udap_security_test_kit/udap_x509_certificate.rb
+- lib/udap_security_test_kit/urls.rb
 - lib/udap_security_test_kit/version.rb
 - lib/udap_security_test_kit/well_known_endpoint_test.rb
 homepage: https://github.com/inferno-framework/udap-security-test-kit