udap_security_test_kit 0.11.5 → 0.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. checksums.yaml +4 -4
  2. data/lib/udap_security_test_kit/authorization_code_received_test.rb +8 -0
  3. data/lib/udap_security_test_kit/authorization_code_redirect_test.rb +3 -0
  4. data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb +2 -0
  5. data/lib/udap_security_test_kit/authorization_endpoint_field_test.rb +5 -1
  6. data/lib/udap_security_test_kit/client_suite/access_ac_group.rb +2 -0
  7. data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb +5 -0
  8. data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb +34 -0
  9. data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb +30 -0
  10. data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb +47 -0
  11. data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb +25 -0
  12. data/lib/udap_security_test_kit/client_suite.rb +8 -0
  13. data/lib/udap_security_test_kit/discovery_group.rb +2 -0
  14. data/lib/udap_security_test_kit/dynamic_client_registration_group.rb +3 -0
  15. data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb +2 -2
  16. data/lib/udap_security_test_kit/grant_types_supported_field_test.rb +3 -0
  17. data/lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb +6 -0
  18. data/lib/udap_security_test_kit/registration_endpoint_field_test.rb +3 -0
  19. data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb +3 -0
  20. data/lib/udap_security_test_kit/registration_failure_invalid_jwt_signature_test.rb +2 -0
  21. data/lib/udap_security_test_kit/registration_success_contents_test.rb +3 -0
  22. data/lib/udap_security_test_kit/registration_success_test.rb +3 -0
  23. data/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv +146 -0
  24. data/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +164 -0
  25. data/lib/udap_security_test_kit/requirements/hl7.fhir.us.udap-security_1.0.0_reqs.xlsx +0 -0
  26. data/lib/udap_security_test_kit/requirements/udap_security_test_kit_requirements.csv +308 -0
  27. data/lib/udap_security_test_kit/signed_metadata_contents_test.rb +17 -0
  28. data/lib/udap_security_test_kit/signed_metadata_field_test.rb +4 -1
  29. data/lib/udap_security_test_kit/token_endpoint_auth_methods_supported_field_test.rb +2 -0
  30. data/lib/udap_security_test_kit/token_endpoint_auth_signing_alg_values_supported_field_test.rb +5 -0
  31. data/lib/udap_security_test_kit/token_endpoint_field_test.rb +3 -0
  32. data/lib/udap_security_test_kit/udap_auth_extensions_required_field_test.rb +3 -0
  33. data/lib/udap_security_test_kit/udap_auth_extensions_supported_field_test.rb +3 -0
  34. data/lib/udap_security_test_kit/udap_certifications_required_field_test.rb +3 -0
  35. data/lib/udap_security_test_kit/udap_certifications_supported_field_test.rb +2 -0
  36. data/lib/udap_security_test_kit/udap_profiles_supported_field_test.rb +5 -0
  37. data/lib/udap_security_test_kit/udap_versions_supported_field_test.rb +2 -0
  38. data/lib/udap_security_test_kit/version.rb +2 -2
  39. data/lib/udap_security_test_kit/well_known_endpoint_test.rb +4 -0
  40. data/lib/udap_security_test_kit.rb +8 -0
  41. metadata +8 -4
data/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv ADDED
@@ -0,0 +1,146 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,UDAP Security Client Short ID(s),UDAP Security Client Full ID(s)
2
+ hl7.fhir.us.udap-security_1.0.0,1,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: SHALL conform to the mandatory requirements of [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
3
+ hl7.fhir.us.udap-security_1.0.0,2,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be JSON Web Signatures conforming to the mandatory requirements of [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
4
+ hl7.fhir.us.udap-security_1.0.0,3,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be serialized using JWS Compact Serialization as per [Section 7.1](https://datatracker.ietf.org/doc/html/rfc7515#section-7.1) of RFC 7515.,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
5
+ hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,"",""
6
+ hl7.fhir.us.udap-security_1.0.0,5,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations **SHOULD** support `ES256`[as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)],SHOULD,"Server,Client",,,,"",""
7
+ hl7.fhir.us.udap-security_1.0.0,6,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,[Implementations] **MAY** support `ES384` and/or `RS384` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,MAY,"Server,Client",,,,"",""
8
+ hl7.fhir.us.udap-security_1.0.0,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
9
+ hl7.fhir.us.udap-security_1.0.0,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`. An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
10
+ hl7.fhir.us.udap-security_1.0.0,16,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"If a server returns a `404 Not Found` response to a `GET` request to the UDAP metadata endpoint, the client application SHOULD conclude that the server does not support UDAP workflows.",SHOULD,Client,,,,"",""
11
+ hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,"",""
12
+ hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,"",""
13
+ hl7.fhir.us.udap-security_1.0.0,60,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[A] client application MAY add the optional query parameter `community` to the metadata request URL described in [Section 2.1](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints) to indicate that it trusts certificates issued by the community identified by the parameter value.,MAY,Client,,,,"",""
14
+ hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,"",""
15
+ hl7.fhir.us.udap-security_1.0.0,66,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
16
+ hl7.fhir.us.udap-security_1.0.0,67,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.,SHALL,Client,,,,"3.02, 3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
17
+ hl7.fhir.us.udap-security_1.0.0,69,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a `client_id`,MAY,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
18
+ hl7.fhir.us.udap-security_1.0.0,70,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Other [non-Confidential] client types SHOULD follow the manual registration processes for each Authorization Server.,SHOULD,Client,,,,"",""
19
+ hl7.fhir.us.udap-security_1.0.0,71,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"To register dynamically, the client application first [SHALL] construct ... a software statement as per [section 2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-2) of UDAP Dynamic Client Registration.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
20
+ hl7.fhir.us.udap-security_1.0.0,72,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL contain the required header elements specified in [Section 1.2.3](https://hl7.org/fhir/us/udap-security/STU1/index.html#jwt-headers) of this guide,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
21
+ hl7.fhir.us.udap-security_1.0.0,73,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL be signed by the client application operator using the signature algorithm identified in the `alg` header of the software statement,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
22
+ hl7.fhir.us.udap-security_1.0.0,74,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL be signed by the client application operator using ... the private key that corresponds to the public key listed in the client’s X.509 certificate identified in the`x5c` header of the software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
23
+ hl7.fhir.us.udap-security_1.0.0,75,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `iss` [is] `required` [and] SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the client's certificate included in the `x5c` JWT header,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
24
+ hl7.fhir.us.udap-security_1.0.0,76,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `sub` [is] `required`[and is the s]ame as `iss`.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
25
+ hl7.fhir.us.udap-security_1.0.0,77,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `aud` [is] `required`[and is the] Authorization Server's ""registration URL""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
26
+ hl7.fhir.us.udap-security_1.0.0,78,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `exp` [is] `required`[and is the] Expiration time integer for this software statement, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC). The exp time SHALL be no more than 5 minutes after the value of the iat claim.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
27
+ hl7.fhir.us.udap-security_1.0.0,79,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `exp`... SHALL be no more than 5 minutes after the value of the `iat` claim.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
28
+ hl7.fhir.us.udap-security_1.0.0,80,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `iat` [is] `required`[and is the] Issued time integer for this software statement, expressed in seconds since the ""Epoch""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
29
+ hl7.fhir.us.udap-security_1.0.0,81,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` [is] `required`[and is a] nonce string value that uniquely identifies this software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
30
+ hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,"",""
31
+ hl7.fhir.us.udap-security_1.0.0,83,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `client_name` [is] `required`[and is a] string containing the human readable name of the client application,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
32
+ hl7.fhir.us.udap-security_1.0.0,84,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be present if grant_types includes `authorization_code`,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
33
+ hl7.fhir.us.udap-security_1.0.0,85,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be absent [if the `grant_types` claim does not include `authorization_code`].,SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification
34
+ hl7.fhir.us.udap-security_1.0.0,86,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `contacts` [is] `required`[and is the ] array of URI strings indicating how the data holder can contact the app operator regarding the application.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
35
+ hl7.fhir.us.udap-security_1.0.0,87,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `contacts` … SHALL contain at least one valid email address using the mailto scheme,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
36
+ hl7.fhir.us.udap-security_1.0.0,88,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri`... If `grant_types` includes ""authorization_code"", client applications SHALL include this field",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
37
+ hl7.fhir.us.udap-security_1.0.0,90,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri` … [t]he URL SHALL use the https scheme,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
38
+ hl7.fhir.us.udap-security_1.0.0,91,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri` … [t]he URL SHALL ... reference a PNG, JPG, or GIF image file, e.g. ""https://myapp.example.com/MyApp.png""",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
39
+ hl7.fhir.us.udap-security_1.0.0,92,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `grant_types` [is] `required`[and SHALL include either ""authorization_code"" or ""client_credentials"" but not both. The value ""refresh_token"" SHALL NOT be present in the array unless ""authorization_code"" is also present.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
40
+ hl7.fhir.us.udap-security_1.0.0,93,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` [SHALL be present i]f `grant_types` contains ""authorization_code""",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
41
+ hl7.fhir.us.udap-security_1.0.0,94,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` ... SHALL have a fixed value of `[""code""]` [when populated].",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
42
+ hl7.fhir.us.udap-security_1.0.0,95,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` [i]f `grant_types` [does not] contain ""authorization_code"", then this element ... SHALL be omitted.",SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification
43
+ hl7.fhir.us.udap-security_1.0.0,96,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `token_endpoint_auth_method` [is] `required` [and SHALL contain] Fixed string value: ""private_key_jwt""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
44
+ hl7.fhir.us.udap-security_1.0.0,97,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `scope` [is] `required` [and SHALL contain] a space delimited list of scopes requested by the client application for use in subsequent requests.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
45
+ hl7.fhir.us.udap-security_1.0.0,99,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration] for client apps that also support the SMART App Launch framework: apps requesting the ""client_credentials"" grant type SHOULD request system scopes;",SHOULD,Client,,,,"",""
46
+ hl7.fhir.us.udap-security_1.0.0,100,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration] for client apps that also support the SMART App Launch framework: ... apps requesting the ""authorization_code"" grant type SHOULD request user or patient scopes.",SHOULD,Client,,,,"",""
47
+ hl7.fhir.us.udap-security_1.0.0,101,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL match the uriName entry in the Subject Alternative Name extension of the client app operator’s X.509 certificate,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
48
+ hl7.fhir.us.udap-security_1.0.0,102,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL ... uniquely identify a single client app operator and application over time.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
49
+ hl7.fhir.us.udap-security_1.0.0,103,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the `aud` claim SHALL list the URL of the OAuth Server’s registration endpoint",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
50
+ hl7.fhir.us.udap-security_1.0.0,104,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, … the lifetime of the software statement (`exp` minus `iat`) SHALL be 5 minutes.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
51
+ hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,"",""
52
+ hl7.fhir.us.udap-security_1.0.0,126,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#consumer-facing,"Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow,",SHALL,Client,,,,3,udap_security_client-udap_client_access_ac
53
+ hl7.fhir.us.udap-security_1.0.0,127,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,"Client applications SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
54
+ hl7.fhir.us.udap-security_1.0.0,128,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,"[When] The client constructs the request URI … the … parameter.. `response_type` [is] `required`[and the] value MUST be set to ""code""",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
55
+ hl7.fhir.us.udap-security_1.0.0,129,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,[When] The client constructs the request URI … the … parameter.. `client_id` [is] `required`… [and is t]he client identifier as described in [Section 2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2).,SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
56
+ hl7.fhir.us.udap-security_1.0.0,130,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope.,MAY,Client,,,,"",""
57
+ hl7.fhir.us.udap-security_1.0.0,132,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,[S]ervers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Client,,,,"",""
58
+ hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,"",""
59
+ hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,"",""
60
+ hl7.fhir.us.udap-security_1.0.0,140,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token,"Client applications SHALL exchange authorization codes for access tokens as per [Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) of RFC 6749,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
61
+ hl7.fhir.us.udap-security_1.0.0,141,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When] the client makes a request to the token endpoint… the `grant_type` [parameter is] `REQUIRED`[and the] Value MUST be set to ""authorization_code""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
62
+ hl7.fhir.us.udap-security_1.0.0,142,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `code` [parameter is] `REQUIRED`[and is] the authorization code received from the authorization server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
63
+ hl7.fhir.us.udap-security_1.0.0,143,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When t]he client makes a request to the token endpoint… the `redirect_uri` [parameter is] `REQUIRED`...if the ""redirect_uri"" parameter was included in the authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their values MUST be identical.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
64
+ hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,"",""
65
+ hl7.fhir.us.udap-security_1.0.0,145,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
66
+ hl7.fhir.us.udap-security_1.0.0,151,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
67
+ hl7.fhir.us.udap-security_1.0.0,152,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
68
+ hl7.fhir.us.udap-security_1.0.0,153,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests]the `iss` parameter [is] `required` [and is t]he application's `client_id` as assigned by the Authorization Server during the registration process,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
69
+ hl7.fhir.us.udap-security_1.0.0,154,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `sub` parameter [is] `required` [and is t]he application's `client_id` as assigned by the Authorization Server during the registration process,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
70
+ hl7.fhir.us.udap-security_1.0.0,155,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `aud` parameter [is] `required` [and is] the FHIR Authorization Server's token endpoint URL,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
71
+ hl7.fhir.us.udap-security_1.0.0,156,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `exp` parameter [is] `required` [and is the e]xpiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC)",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
72
+ hl7.fhir.us.udap-security_1.0.0,157,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `iat` parameter [is] `required` [and is the i]ssued time integer for this authentication JWT, expressed in seconds since the ""Epoch""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
73
+ hl7.fhir.us.udap-security_1.0.0,158,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `jti` parameter [is] `required` [and is a] nonce string value that uniquely identifies this authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
74
+ hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,"",""
75
+ hl7.fhir.us.udap-security_1.0.0,160,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of `exp` minus the value of `iat` SHALL NOT exceed 300 seconds.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
76
+ hl7.fhir.us.udap-security_1.0.0,161,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,The Authentication Token SHALL be signed and serialized using the JSON compact serialization method..,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
77
+ hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,"",""
78
+ hl7.fhir.us.udap-security_1.0.0,163,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client applications authenticating with a private key and Authentication Token as per Section [4.2.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the [token request]... parameters as per Section 5.1 of UDAP JWT-Based Client Authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
79
+ hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,"",""
80
+ hl7.fhir.us.udap-security_1.0.0,165,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `grant_type` [parameter is] `required`[and SHALL contain the f]ixed value: `authorization_code`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
81
+ hl7.fhir.us.udap-security_1.0.0,166,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `code` [parameter is] `required`[and SHALL contain the] code that the app received from the Authorization Server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
82
+ hl7.fhir.us.udap-security_1.0.0,167,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"[When authenticating with a private key and Authentication Token] the `redirect_uri` [parameter is] `conditional`… SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
83
+ hl7.fhir.us.udap-security_1.0.0,168,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `redirect_uri` values SHALL be identical [with those sent on the authorization request].,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
84
+ hl7.fhir.us.udap-security_1.0.0,169,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `client_assertion_type` [parameter is] `required`[and SHALL contain the] fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
85
+ hl7.fhir.us.udap-security_1.0.0,170,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `client_assertion` [parameter is] `required`[and SHALL contain the] signed Authentication Token JWT,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
86
+ hl7.fhir.us.udap-security_1.0.0,171,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `udap` [parameter is] `required`[and SHALL contain a f]ixed value: 1,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
87
+ hl7.fhir.us.udap-security_1.0.0,175,https://www.udap.org/udap-jwt-client-auth.html,[For the Authorization Server to validate the Client App’s request] the Client MUST include its own certificate [in the x5c parameter of the JOSE header on AnTs in token requests],SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
88
+ hl7.fhir.us.udap-security_1.0.0,177,https://www.udap.org/udap-jwt-client-auth.html,"[When validating the Client App’s request t]he iss and sub values MUST correspond to a registered client ID that is permitted to authenticate using an AnT and whose registration is bound to a uniformResourceIdentifier entry in the Subject Alternative Names extension of the Client’s certificate, e.g. via UDAP Dynamic Client Registration",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
89
+ hl7.fhir.us.udap-security_1.0.0,178,https://www.udap.org/udap-jwt-client-auth.html,"[When validating the Client App’s request] If the request contains a client_id parameter, the client_id value MUST match the iss and sub values",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
90
+ hl7.fhir.us.udap-security_1.0.0,179,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] The aud value MUST contain the AS’s token endpoint URI,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
91
+ hl7.fhir.us.udap-security_1.0.0,180,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] the AnT MUST be unexpired.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
92
+ hl7.fhir.us.udap-security_1.0.0,181,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] A maximum AnT lifetime of 5 minutes is RECOMMENDED,SHOULD,Client,,,,"",""
93
+ hl7.fhir.us.udap-security_1.0.0,185,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,B2B client applications registered to use the authorization code grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow described in [Section 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) of RFC 6749,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
94
+ hl7.fhir.us.udap-security_1.0.0,186,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,Client applications registered to use the client credentials grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 client credentials grant flow described in [Section 4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) of RFC 6749,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
95
+ hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,"",""
96
+ hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,"",""
97
+ hl7.fhir.us.udap-security_1.0.0,192,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,"The client SHALL use its private key to sign an Authentication Token..., and include this JWT in the `client_assertion` parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in [Section 5.2.2](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request) of this guide",SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
98
+ hl7.fhir.us.udap-security_1.0.0,193,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `sub` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
99
+ hl7.fhir.us.udap-security_1.0.0,194,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `aud` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
100
+ hl7.fhir.us.udap-security_1.0.0,195,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `exp` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
101
+ hl7.fhir.us.udap-security_1.0.0,196,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `iat` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
102
+ hl7.fhir.us.udap-security_1.0.0,197,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `jti` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
103
+ hl7.fhir.us.udap-security_1.0.0,198,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and] The HL7 B2B Authorization Extension Object ...is required for B2B client apps using the client_credentials flow,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
104
+ hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,"",""
105
+ hl7.fhir.us.udap-security_1.0.0,202,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `version` [is] `required` [with a] String with fixed value: ""1""",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
106
+ hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,"",""
107
+ hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,"",""
108
+ hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,"",""
109
+ hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,"",""
110
+ hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,"",""
111
+ hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,"",""
112
+ hl7.fhir.us.udap-security_1.0.0,210,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` [and is a] string containing the human readable name of the organizational requestor. If a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"",""
113
+ hl7.fhir.us.udap-security_1.0.0,211,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` … if a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"",""
114
+ hl7.fhir.us.udap-security_1.0.0,212,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] SHALL be a Uniform Resource Identifier (URI).,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
115
+ hl7.fhir.us.udap-security_1.0.0,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client,Trust Community",,,,"",""
116
+ hl7.fhir.us.udap-security_1.0.0,214,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required`... If a URL is used, the issuer SHALL include a URL that is resolvable by the receiving party.",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
117
+ hl7.fhir.us.udap-security_1.0.0,215,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `purpose_of_use` [is] `required`.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
118
+ hl7.fhir.us.udap-security_1.0.0,217,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_policy` [is] `optional`[and SHALL contain] an array of one or more strings, each containing a URI identifiying a privacy consent directive policy or other policy consistent with the value of the purpose_of_use parameter.",MAY,Client,,,,"",""
119
+ hl7.fhir.us.udap-security_1.0.0,218,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and SHALL contain a]n array of one or more strings, each containing an absolute URL consistent with a [literal reference](https://www.hl7.org/fhir/R4/references.html#literal) to a FHIR [Consent](https://www.hl7.org/fhir/R4/consent.html) or [DocumentReference](https://www.hl7.org/fhir/R4/documentreference.html) resource containing or referencing a privacy consent directive relevant to a purpose identified by the `purpose_of_use` parameter and the policy or policies identified by the `consent_policy` parameter.",MAY,Client,,,,"",""
120
+ hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,"",""
121
+ hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,"",""
122
+ hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,"",""
123
+ hl7.fhir.us.udap-security_1.0.0,222,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request,Client applications using the authorization code grant and authenticating with a private key and Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
124
+ hl7.fhir.us.udap-security_1.0.0,223,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.2 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
125
+ hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,"",""
126
+ hl7.fhir.us.udap-security_1.0.0,225,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `grant_type` parameter [is] `required` [and SHALL contain f]ixed value: `client_credentials`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
127
+ hl7.fhir.us.udap-security_1.0.0,226,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion_type` parameter [is] `required` [and SHALL contain f]ixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
128
+ hl7.fhir.us.udap-security_1.0.0,227,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion` parameter [is] `required` [and SHALL contain] the signed Authentication Token JWT,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
129
+ hl7.fhir.us.udap-security_1.0.0,228,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `udap` parameter [is] `required` [and SHALL contain] fixed value: `1`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
130
+ hl7.fhir.us.udap-security_1.0.0,231,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Client apps that have been issued refresh tokens MAY make refresh requests to the token endpoint as per [Section 6 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-6).,MAY,Client,,,,"",""
131
+ hl7.fhir.us.udap-security_1.0.0,232,https://datatracker.ietf.org/doc/html/rfc6749#section-6,"[When requesting a refresh token] the `grant_type` [parameter is] REQUIRED [and the ] Value MUST be set to ""refresh_token""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
132
+ hl7.fhir.us.udap-security_1.0.0,233,https://datatracker.ietf.org/doc/html/rfc6749#section-7,[When requesting a refresh token] the `refresh_token` [parameter is] REQUIRED [and is ] The refresh token issued to the client,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
133
+ hl7.fhir.us.udap-security_1.0.0,234,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,"Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests [i.e., include the client_assertion_type and client_assertion fields as in the token request]",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
134
+ hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,"",""
135
+ hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,"",""
136
+ hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,"",""
137
+ hl7.fhir.us.udap-security_1.0.0,244,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[When authenticating the user a] client app that receives an error code of `invalid_idp` MAY attempt to obtain authorization again by specifying a different IdP base URL in the `idp` authorization request parameter, or by making a new authorization request without using the Tiered OAuth workflow.",MAY,Client,,,,"",""
138
+ hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,"",""
139
+ hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,"",""
140
+ hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,"",""
141
+ hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,"",""
142
+ hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client,,,,"",""
143
+ hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,"",""
144
+ hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,"",""
145
+ hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,"",""
146
+ hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,"",""
data/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv ADDED
@@ -0,0 +1,164 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,UDAP Security Server Short ID(s),UDAP Security Server Full ID(s)
2
+ hl7.fhir.us.udap-security_1.0.0,1,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: SHALL conform to the mandatory requirements of [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).,SHALL,"Server,Client",,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
3
+ hl7.fhir.us.udap-security_1.0.0,2,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be JSON Web Signatures conforming to the mandatory requirements of [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515).,SHALL,"Server,Client",,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
4
+ hl7.fhir.us.udap-security_1.0.0,3,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be serialized using JWS Compact Serialization as per [Section 7.1](https://datatracker.ietf.org/doc/html/rfc7515#section-7.1) of RFC 7515.,SHALL,"Server,Client",,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
5
+ hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,"1.1.13, 1.1.15, 2.1.13, 2.1.15","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field, udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field"
6
+ hl7.fhir.us.udap-security_1.0.0,5,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations **SHOULD** support `ES256`[as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)],SHOULD,"Server,Client",,,,"",""
7
+ hl7.fhir.us.udap-security_1.0.0,6,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,[Implementations] **MAY** support `ES384` and/or `RS384` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,MAY,"Server,Client",,,,"",""
8
+ hl7.fhir.us.udap-security_1.0.0,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT,SHALL,"Server,Client",,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
9
+ hl7.fhir.us.udap-security_1.0.0,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`. An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server,Client",,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
10
+ hl7.fhir.us.udap-security_1.0.0,9,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,A FHIR Server **SHALL** make its Authorization Server’s authorization ... endpoints ... available for discovery by client applications.,SHALL,Server,,,,"1.1.10, 2.1.10","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_authorization_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_authorization_endpoint_field"
11
+ hl7.fhir.us.udap-security_1.0.0,10,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,A FHIR Server **SHALL** make its Authorization Server’s ... token ... endpoints ... available for discovery by client applications.,SHALL,Server,,,,"1.1.11, 2.1.11","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_field"
12
+ hl7.fhir.us.udap-security_1.0.0,11,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,A FHIR Server **SHALL** make its Authorization Server’s ... registration endpoints ... available for discovery by client applications.,SHALL,Server,,,,"1.1.14, 2.1.14","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_registration_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_registration_endpoint_field"
13
+ hl7.fhir.us.udap-security_1.0.0,12,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,A FHIR Server **SHALL** make its Authorization Server’s ... associated metadata available for discovery by client applications.,SHALL,Server,,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint"
14
+ hl7.fhir.us.udap-security_1.0.0,13,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers **SHALL** allow access to the following metadata URL to unregistered client applications ..., where {baseURL} represents the base FHIR URL for the FHIR server: {baseURL}/.well-known/udap",SHALL,Server,,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint"
15
+ hl7.fhir.us.udap-security_1.0.0,14,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers **SHALL** allow access to the following metadata URL ... without requiring client authentication, where {baseURL} represents the base FHIR URL for the FHIR server: {baseURL}/.well-known/udap",SHALL,Server,,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint"
16
+ hl7.fhir.us.udap-security_1.0.0,15,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,UDAP metadata **SHALL** be structured as a JSON object as per section 1 of [UDAP Server Metadata](https://www.udap.org/udap-server-metadata-stu1.html#section-1) and discussed further in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata).,SHALL,Server,,,,"1.1, 2.1","udap_security-udap_authorization_code_group-auth_code_discovery_group, udap_security-udap_client_credentials_group-auth_code_discovery_group"
17
+ hl7.fhir.us.udap-security_1.0.0,17,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers conforming to this guide are generally expected, but not required, to also support the HL7 SMART App Launch Framework, which defines additional discovery and metadata requirements.",SHOULD,Server,,,,"",""
18
+ hl7.fhir.us.udap-security_1.0.0,18,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,The metadata returned from the UDAP metadata endpoint … SHALL represent the server’s capabilities with respect to the UDAP workflows described in this guide.,SHALL,Server,,,,"",""
19
+ hl7.fhir.us.udap-security_1.0.0,19,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request.",SHALL,Server,,,,"",""
20
+ hl7.fhir.us.udap-security_1.0.0,22,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_versions_supported` [element is] required [and SHALL be] A fixed array with one string element: [""1""]",SHALL,Server,,,,"1.1.02, 2.1.02","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_versions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_versions_supported_field"
21
+ hl7.fhir.us.udap-security_1.0.0,23,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_profiles_supported` [element is] required
22
+ [and SHALL contain a]n array of two or more strings identifying the core UDAP profiles supported by the Authorization Server.",SHALL,Server,,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field"
23
+ hl7.fhir.us.udap-security_1.0.0,24,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_profiles_supported` [element] array SHALL include ... ""udap_dcr"" … [when the server supports] UDAP Dynamic Client Registration",SHALL,Server,true,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field"
24
+ hl7.fhir.us.udap-security_1.0.0,25,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_profiles_supported` [element] array SHALL include ... ""udap_authn"" … [when the server supports] UDAP JWT-Based Client Authentication",SHALL,Server,true,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field"
25
+ hl7.fhir.us.udap-security_1.0.0,26,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata] `udap_profiles_supported` [element]...
26
+ If the `grant_types_supported` parameter includes the string `""client_credentials""`, then the array SHALL also include:
27
+ `""udap_authz""` for UDAP Client Authorization Grants using JSON Web Tokens to indicate support for Authorization Extension Objects.",SHALL,Server,true,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field"
28
+ hl7.fhir.us.udap-security_1.0.0,27,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata] `udap_profiles_supported` [element]...
29
+ If the server supports the user authentication workflow described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html#tiered-oauth-for-user-authentication), then the array SHALL also include: `""udap_to""` for UDAP Tiered OAuth for User Authentication.",SHALL,Server,true,,,"",""
30
+ hl7.fhir.us.udap-security_1.0.0,28,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_supported` [element is] required [and SHALL contain a]n array of zero or more recognized key names for Authorization Extension Objects supported by the Authorization Server.",SHALL,Server,,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field"
31
+ hl7.fhir.us.udap-security_1.0.0,29,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server supports the B2B Authorization Extension Object defined in Section [5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object), then the ... `[""hl7-b2b""]` key name SHALL be included [in the `udap_authorization_extensions_supported` element of the server's UDAP metadata].",SHALL,Server,,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field"
32
+ hl7.fhir.us.udap-security_1.0.0,30,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element SHALL contain when populated a]n array of zero or more recognized key names for Authorization Extension Objects required by the Authorization Server in every token request.",SHALL,Server,,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field"
33
+ hl7.fhir.us.udap-security_1.0.0,31,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element] SHALL be present if the value of the `udap_authorization_extensions_supported` parameter is not an empty array.",SHALL,Server,,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field"
34
+ hl7.fhir.us.udap-security_1.0.0,32,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server requires the B2B Authorization Extension Object defined in [Section 5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object) in every token request, then the following key name SHALL be included [in the `udap_authorization_extensions_required`list]:
35
+ `[""hl7-b2b""]`",SHALL,Server,,,,"",""
36
+ hl7.fhir.us.udap-security_1.0.0,33,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_supported` [element is] required [and SHALL contain a]n array of zero or more certification URIs supported by the Authorization Server, e.g.: `[""https://www.example.com/udap/profiles/example-certification""]`",SHALL,Server,,,,"1.1.07, 2.1.07","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_supported_field"
37
+ hl7.fhir.us.udap-security_1.0.0,34,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` [element SHALL contain when populated a]n array of zero or more certification URIs required by the Authorization Server.",SHALL,Server,,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field"
38
+ hl7.fhir.us.udap-security_1.0.0,35,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` … parameter SHALL be present if the value of the `udap_certifications_supported` parameter is not an empty array.",SHALL,Server,,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field"
39
+ hl7.fhir.us.udap-security_1.0.0,36,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `grant_types_supported` [element is] required [and SHALL contain] an array of one or more grant types supported by the Authorization Server, e.g.:
40
+ [""authorization_code"", ""refresh_token"", ""client_credentials""].",SHALL,Server,,,,"1.1.03, 2.1.03","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_grant_types_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_grant_types_supported_field"
41
+ hl7.fhir.us.udap-security_1.0.0,37,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"The `""refresh_token""` grant type SHALL only be included [in the `grant_types_supported` element of the server metadata] if the `""authorization_code""` grant type is also included.",SHALL,Server,,,,"1.1.03, 2.1.03","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_grant_types_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_grant_types_supported_field"
42
+ hl7.fhir.us.udap-security_1.0.0,38,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `authorization_endpoint` [element SHALL contain when populated a] string containing the absolute URL of the Authorization Server's authorization endpoint.",SHALL,Server,true,,,"1.1.10, 2.1.10","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_authorization_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_authorization_endpoint_field"
43
+ hl7.fhir.us.udap-security_1.0.0,39,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `authorization_endpoint` … SHALL be present if the value of the `grant_types_supported` parameter includes the string `""authorization_code""`",SHALL,Server,true,,,"1.1.10, 2.1.10","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_authorization_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_authorization_endpoint_field"
44
+ hl7.fhir.us.udap-security_1.0.0,40,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `token_endpoint` [element is] required [and SHALL contain a] string containing the absolute URL of the Authorization Server's token endpoint for UDAP JWT-Based Client Authentication.",SHALL,Server,,,,"1.1.11, 2.1.11","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_field"
45
+ hl7.fhir.us.udap-security_1.0.0,41,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `token_endpoint_auth_methods_supported` [element is] required [and SHALL contain a f]ixed array with one value: [""private_key_jwt""]",SHALL,Server,,,,"1.1.12, 2.1.12","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_auth_methods_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_auth_methods_supported_field"
46
+ hl7.fhir.us.udap-security_1.0.0,42,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `token_endpoint_auth_signing_alg_values_supported` [element is] required [and SHALL contain an a]rray of strings identifying one or more signature algorithms supported by the Authorization Server for validation of signed JWTs submitted to the token endpoint for client authentication.",SHALL,Server,,,,"1.1.13, 2.1.13","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_token_endpoint_auth_signing_alg_values_supported_field"
47
+ hl7.fhir.us.udap-security_1.0.0,43,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `registration_endpoint` [element is] required [and SHALL contain a] string containing the absolute URL of the Authorization Server's registration endpoint.",SHALL,Server,,,,"1.1.14, 2.1.14","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_registration_endpoint_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_registration_endpoint_field"
48
+ hl7.fhir.us.udap-security_1.0.0,44,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `registration_endpoint_jwt_signing_alg_values_supported` [element is] recommended [to be populated].",SHOULD,Server,,,,"",""
49
+ hl7.fhir.us.udap-security_1.0.0,45,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `registration_endpoint_jwt_signing_alg_values_supported` [element SHALL contain when populated an a]rray of strings identifying one or more signature algorithms supported by the Authorization Server for validation of signed software statements, certification, and endorsements submitted to the registration endpoint.",SHALL,Server,true,,,"1.1.15, 2.1.15","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_reg_endpoint_jwt_signing_alg_values_supported_field"
50
+ hl7.fhir.us.udap-security_1.0.0,46,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `signed_metadata` [element is] required [which SHALL contain] A string containing a JWT listing the server's endpoints",SHALL,Server,,,,"1.1.16, 2.1.16","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_field"
51
+ hl7.fhir.us.udap-security_1.0.0,47,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,A server’s UDAP metadata SHALL include the signed_metadata element.,SHALL,Server,,,,"1.1.16, 2.1.16","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_field"
52
+ hl7.fhir.us.udap-security_1.0.0,48,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `iss` [that is the i]ssuer of the JWT -- unique identifying server URI. This SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the server's certificate included in the `x5c` JWT header, and SHALL be equal to the server's {baseURL}",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
53
+ hl7.fhir.us.udap-security_1.0.0,49,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The `iss` claim of the JWT in the signed_metadata element] SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the server's certificate included in the `x5c` JWT header,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
54
+ hl7.fhir.us.udap-security_1.0.0,50,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The `iss` claim of the JWT in the signed_metadata element] SHALL be equal to the server's {baseURL},SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
55
+ hl7.fhir.us.udap-security_1.0.0,51,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `sub` [that is the] same as `iss`.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
56
+ hl7.fhir.us.udap-security_1.0.0,52,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `exp` [that is the] expiration time integer for this JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC).",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
57
+ hl7.fhir.us.udap-security_1.0.0,53,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,The exp time [in the Server's signed JWT] SHALL be no more than 1 year after the value of the iat claim.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
58
+ hl7.fhir.us.udap-security_1.0.0,54,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `iat` [that is the] Issued time integer for this JWT, expressed in seconds since the ""Epoch""",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
59
+ hl7.fhir.us.udap-security_1.0.0,55,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `jti` [that is a] nonce string value that uniquely identifies this JWT.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
60
+ hl7.fhir.us.udap-security_1.0.0,56,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,This [`jti`] value [in the Server's signed JWT] SHALL NOT be reused by the server in another JWT before the time specified in the exp claim has passed,SHALL,Server,,,,"",""
61
+ hl7.fhir.us.udap-security_1.0.0,57,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[In the JWT in the signed_metadata element SHALL contain, the claim] `authorization_endpoint`[is] REQUIRED if the authorization_endpoint parameter is included in the unsigned metadata",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
62
+ hl7.fhir.us.udap-security_1.0.0,58,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `token_endpoint`[which is a] string containing the absolute URL of the server's token endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
63
+ hl7.fhir.us.udap-security_1.0.0,59,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `registration_endpoint`[which is a] string containing the absolute URL of the server's registration endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
64
+ hl7.fhir.us.udap-security_1.0.0,62,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports [the `community`] parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community, if it has been issued such a certificate, and use that certificate when generating the signed JWT returned for the `signed_metadata` element.",SHALL,Server,,,,"",""
65
+ hl7.fhir.us.udap-security_1.0.0,63,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports different UDAP capabilities for different communities, it MAY also return different values for other metadata elements described in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata) as appropriate for the identified community.",MAY,Server,,,,"",""
66
+ hl7.fhir.us.udap-security_1.0.0,64,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, it MAY return a `404 Not Found` response to the metadata request to indicate that no UDAP workflows are supported by server in the context of that community, or it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,"",""
67
+ hl7.fhir.us.udap-security_1.0.0,65,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, .. it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,"",""
68
+ hl7.fhir.us.udap-security_1.0.0,68,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Authorization Servers SHALL support dynamic registration as specified in the [UDAP Dynamic Client Registration](https://www.udap.org/udap-dynamic-client-registration-stu1.html) profile with the additional options and constraints defined in this guide.,SHALL,Server,,,,"1.2, 2.2","udap_security-udap_authorization_code_group-auth_code_dcr_group, udap_security-udap_client_credentials_group-client_creds_dcr_group"
69
+ hl7.fhir.us.udap-security_1.0.0,89,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,Authorization Server[s] MAY display this logo [provided in the `logo_uri` claim of a registered software statement for a client] to the user during the authorization process.,MAY,Server,,,,"",""
70
+ hl7.fhir.us.udap-security_1.0.0,98,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The Authorization Server MAY consider this list [of scopes provided in the registration software statement] when deciding the scopes that it will allow the application to subsequently request.,MAY,Server,,,,"",""
71
+ hl7.fhir.us.udap-security_1.0.0,105,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,The Authorization Server SHALL validate the registration request as per [Section 4](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4) of UDAP Dynamic Client Registration.,SHALL,Server,,,,"1.2, 2.2","udap_security-udap_authorization_code_group-auth_code_dcr_group, udap_security-udap_client_credentials_group-client_creds_dcr_group"
72
+ hl7.fhir.us.udap-security_1.0.0,106,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he iss value MUST match a uriName entry in the Subject Alternative Names extension of the Client’s certificate.,SHALL,Server,,,,"1.2.01, 2.2.01","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents"
73
+ hl7.fhir.us.udap-security_1.0.0,107,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he sub value MUST match the iss value,SHALL,Server,,,,"",""
74
+ hl7.fhir.us.udap-security_1.0.0,108,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he aud value MUST contain the Authorization Server’s registration endpoint URL,SHALL,Server,,,,"",""
75
+ hl7.fhir.us.udap-security_1.0.0,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,"",""
76
+ hl7.fhir.us.udap-security_1.0.0,110,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"If a new registration is successful, the Authorization Server SHALL return a registration response with a `201 Created` HTTP response code as per [Section 5.1](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1) of UDAP Dynamic Client Registration",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success"
77
+ hl7.fhir.us.udap-security_1.0.0,111,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"[When responding to an authorization request that has been granted] 5.1 The top-level elements of the response SHALL include the client_id issued by the Authorization Server for use by the Client App, the software statement as submitted by the Client App, and all of the registration related parameters that were included in the software statement",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents"
78
+ hl7.fhir.us.udap-security_1.0.0,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,"",""
79
+ hl7.fhir.us.udap-security_1.0.0,113,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is successful, the Authorization Server SHALL return a registration response ... including the unique `client_id` assigned by the Authorization Server to that client app.",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents"
80
+ hl7.fhir.us.udap-security_1.0.0,114,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per [Section 5.2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.2) of UDAP Dynamic Client Registration.",SHALL,Server,,,,"1.2.01, 1.2.02, 2.2.01, 2.2.02","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_jwt_signature, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_jwt_signature"
81
+ hl7.fhir.us.udap-security_1.0.0,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,"",""
82
+ hl7.fhir.us.udap-security_1.0.0,117,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers MAY require registration requests to include one or more certifications.,MAY,Server,,,,"",""
83
+ hl7.fhir.us.udap-security_1.0.0,118,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,"If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the `udap_certifications_required` element of its UDAP metadata.",SHALL,Server,,,,"",""
84
+ hl7.fhir.us.udap-security_1.0.0,119,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement containing the same `iss` value as an earlier software statement but with a different set of claims or claim values, or with a different (possibly empty) set of optional certifications and endorsements, the server SHALL treat this as a request to modify the registration parameters for the client application by replacing the information from the previous registration request with the information included in the new request.",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success"
85
+ hl7.fhir.us.udap-security_1.0.0,120,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the registration modification request is accepted, the Authorization Server SHOULD return the same `client_id` in the registration response as for the previous registration.",SHOULD,Server,,,,"",""
86
+ hl7.fhir.us.udap-security_1.0.0,121,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If it returns a different `client_id` [in response to a registration modification request], it SHALL cancel the registration for the previous `client_id`.",SHALL,Server,,,,"",""
87
+ hl7.fhir.us.udap-security_1.0.0,122,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement that contains an empty `grant_types` array from a previously registered application, the server SHOULD interpret this as a request to cancel the previous registration.",SHOULD,Server,,,,"",""
88
+ hl7.fhir.us.udap-security_1.0.0,124,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns the same client_id in the registration response for a modification request, it SHOULD also return a `200 OK` HTTP response code.",SHOULD,Server,,,,"",""
89
+ hl7.fhir.us.udap-security_1.0.0,125,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns a new `client_id` in the registration response, the client application SHALL use only the new `client_id` in subsequent transactions with the Authorization Server.",SHOULD,Server,,,,"",""
90
+ hl7.fhir.us.udap-security_1.0.0,131,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications .. MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Server,,,,"",""
91
+ hl7.fhir.us.udap-security_1.0.0,133,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2) of RFC 6749.,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received"
92
+ hl7.fhir.us.udap-security_1.0.0,134,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request ]if the resource owner grants the access request… the `code` parameter [is] `REQUIRED`,SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received
93
+ hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,"",""
94
+ hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,"",""
95
+ hl7.fhir.us.udap-security_1.0.0,138,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"[When responding to an authorization request i]f the resource owner grants the access request… the `state` parameter [is] `REQUIRED`if the ""state"" parameter was present in the client authorization request",SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received
96
+ hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"",""
97
+ hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"",""
98
+ hl7.fhir.us.udap-security_1.0.0,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange
99
+ hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"",""
100
+ hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"",""
101
+ hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,"",""
102
+ hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,"",""
103
+ hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,"",""
104
+ hl7.fhir.us.udap-security_1.0.0,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,"",""
105
+ hl7.fhir.us.udap-security_1.0.0,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value.,SHALL,Server,,,,"",""
106
+ hl7.fhir.us.udap-security_1.0.0,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,"",""
107
+ hl7.fhir.us.udap-security_1.0.0,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.",SHALL,Server,,,,"",""
108
+ hl7.fhir.us.udap-security_1.0.0,190,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2).,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received"
109
+ hl7.fhir.us.udap-security_1.0.0,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,"",""
110
+ hl7.fhir.us.udap-security_1.0.0,230,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Authorization Servers MAY issue refresh tokens to B2B [and consumer-facing] client applications that use the authorization code grant type as per [Section 5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5),MAY,Server,,,,"",""
111
+ hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,"",""
112
+ hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,"",""
113
+ hl7.fhir.us.udap-security_1.0.0,240,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP, the data holder MAY reject the client app’s authorization request",MAY,Server,,,,"",""
114
+ hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,true,,,"",""
115
+ hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,"",""
116
+ hl7.fhir.us.udap-security_1.0.0,243,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP ... the data holder MAY attempt to authenticate the user with a different trusted IdP or its own IdP, and MAY interact with the user to determine a suitable alternative",MAY,Server,,,,"",""
117
+ hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,"",""
118
+ hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,"",""
119
+ hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,"",""
120
+ hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,"",""
121
+ hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,"",""
122
+ hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,"",""
123
+ hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,"",""
124
+ hl7.fhir.us.udap-security_1.0.0,252,https://www.udap.org/udap-user-auth-stu1.html,"[When UDAP Tiered OAuth for User Authentication is being requested] If... [the “openid” and “udap”] scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow.",SHOULD NOT,server,,,,"",""
125
+ hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,"",""
126
+ hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,"",""
127
+ hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,"",""
128
+ hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,"",""
129
+ hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,"",""
130
+ hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,"",""
131
+ hl7.fhir.us.udap-security_1.0.0,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request.",SHALL,Server,,,,"",""
132
+ hl7.fhir.us.udap-security_1.0.0,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,"",""
133
+ hl7.fhir.us.udap-security_1.0.0,263,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When an id_token_hint is present [on an authentication request], the OP MUST validate that it was the issuer of the ID Token.",SHALL,Server,,,,"",""
134
+ hl7.fhir.us.udap-security_1.0.0,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,"",""
135
+ hl7.fhir.us.udap-security_1.0.0,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,"",""
136
+ hl7.fhir.us.udap-security_1.0.0,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,"",""
137
+ hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"",""
138
+ hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"",""
139
+ hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,"",""
140
+ hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,"",""
141
+ hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,"",""
142
+ hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,"",""
143
+ hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,"",""
144
+ hl7.fhir.us.udap-security_1.0.0,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,"",""
145
+ hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,"",""
146
+ hl7.fhir.us.udap-security_1.0.0,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,"",""
147
+ hl7.fhir.us.udap-security_1.0.0,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,"",""
148
+ hl7.fhir.us.udap-security_1.0.0,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,"",""
149
+ hl7.fhir.us.udap-security_1.0.0,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,"",""
150
+ hl7.fhir.us.udap-security_1.0.0,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication.,SHALL NOT,Server,,,,"",""
151
+ hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,"",""
152
+ hl7.fhir.us.udap-security_1.0.0,289,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ...
153
+
154
+ Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,"",""
155
+ hl7.fhir.us.udap-security_1.0.0,290,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ...
156
+
157
+ Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,"",""
158
+ hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,"",""
159
+ hl7.fhir.us.udap-security_1.0.0,292,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"When an ID Token has been returned and validated, the data holder SHOULD use the ID Token to attempt to match the authenticated user to a user or role in its own system, as appropriate for the resources requested.",SHOULD,Server,,,,"",""
160
+ hl7.fhir.us.udap-security_1.0.0,293,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"the data holder can attempt to map the pair (`iss`,`sub`) to a known users in the data holder’s system.",MAY,Server,,,,"",""
161
+ hl7.fhir.us.udap-security_1.0.0,294,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder has previously performed this mapping or has otherwise bound the pair (`iss`,`sub`) to a local user or role, it MAY rely on this previous mapping for subsequent authentications",MAY,Server,,,,"",""
162
+ hl7.fhir.us.udap-security_1.0.0,295,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,the data holder MAY interact with the user following the redirection from the IdP back to the data holder’s redirection URI to increase confidence in the [role] resolution process.,MAY,Server,,,,"",""
163
+ hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,"",""
164
+ hl7.fhir.us.udap-security_1.0.0,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,"",""