udap_security_test_kit 0.11.5 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (112) hide show
  1. checksums.yaml +4 -4
  2. data/lib/udap_security_test_kit/authorization_code_received_test.rb +8 -0
  3. data/lib/udap_security_test_kit/authorization_code_redirect_test.rb +3 -0
  4. data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb +2 -0
  5. data/lib/udap_security_test_kit/authorization_endpoint_field_test.rb +5 -1
  6. data/lib/udap_security_test_kit/client_suite/access_ac_group.rb +2 -0
  7. data/lib/udap_security_test_kit/client_suite/authorization_request_verification_test.rb +5 -0
  8. data/lib/udap_security_test_kit/client_suite/registration_ac_verification_test.rb +34 -0
  9. data/lib/udap_security_test_kit/client_suite/registration_cc_verification_test.rb +30 -0
  10. data/lib/udap_security_test_kit/client_suite/token_request_ac_verification_test.rb +47 -0
  11. data/lib/udap_security_test_kit/client_suite/token_request_cc_verification_test.rb +25 -0
  12. data/lib/udap_security_test_kit/client_suite.rb +11 -0
  13. data/lib/udap_security_test_kit/discovery_group.rb +2 -0
  14. data/lib/udap_security_test_kit/dynamic_client_registration_group.rb +3 -0
  15. data/lib/udap_security_test_kit/endpoints/mock_udap_server.rb +2 -2
  16. data/lib/udap_security_test_kit/grant_types_supported_field_test.rb +3 -0
  17. data/lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb +6 -0
  18. data/lib/udap_security_test_kit/registration_endpoint_field_test.rb +3 -0
  19. data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb +4 -1
  20. data/lib/udap_security_test_kit/registration_failure_invalid_jwt_signature_test.rb +2 -0
  21. data/lib/udap_security_test_kit/registration_success_contents_test.rb +3 -0
  22. data/lib/udap_security_test_kit/registration_success_test.rb +3 -0
  23. data/lib/udap_security_test_kit/requirements/generated/udap-security-test-kit_requirements_coverage.csv +317 -0
  24. data/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv +146 -0
  25. data/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +164 -0
  26. data/lib/udap_security_test_kit/requirements/hl7.fhir.us.udap-security_1.0.0_reqs.xlsx +0 -0
  27. data/lib/udap_security_test_kit/requirements/udap_security_test_kit_requirements.csv +308 -0
  28. data/lib/udap_security_test_kit/signed_metadata_contents_test.rb +17 -0
  29. data/lib/udap_security_test_kit/signed_metadata_field_test.rb +4 -1
  30. data/lib/udap_security_test_kit/token_endpoint_auth_methods_supported_field_test.rb +2 -0
  31. data/lib/udap_security_test_kit/token_endpoint_auth_signing_alg_values_supported_field_test.rb +5 -0
  32. data/lib/udap_security_test_kit/token_endpoint_field_test.rb +3 -0
  33. data/lib/udap_security_test_kit/udap_auth_extensions_required_field_test.rb +3 -0
  34. data/lib/udap_security_test_kit/udap_auth_extensions_supported_field_test.rb +3 -0
  35. data/lib/udap_security_test_kit/udap_certifications_required_field_test.rb +3 -0
  36. data/lib/udap_security_test_kit/udap_certifications_supported_field_test.rb +2 -0
  37. data/lib/udap_security_test_kit/udap_profiles_supported_field_test.rb +5 -0
  38. data/lib/udap_security_test_kit/udap_versions_supported_field_test.rb +2 -0
  39. data/lib/udap_security_test_kit/version.rb +2 -2
  40. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +77 -0
  41. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb +47 -0
  42. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +50 -0
  43. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb +44 -0
  44. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb +42 -0
  45. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb +44 -0
  46. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb +42 -0
  47. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +44 -0
  48. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +47 -0
  49. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb +50 -0
  50. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb +45 -0
  51. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +47 -0
  52. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb +45 -0
  53. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +49 -0
  54. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +51 -0
  55. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb +43 -0
  56. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +49 -0
  57. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb +48 -0
  58. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb +56 -0
  59. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb +60 -0
  60. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb +13 -0
  61. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb +42 -0
  62. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb +51 -0
  63. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb +45 -0
  64. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb +37 -0
  65. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb +17 -0
  66. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb +36 -0
  67. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb +38 -0
  68. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb +13 -0
  69. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb +45 -0
  70. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb +42 -0
  71. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb +48 -0
  72. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb +15 -0
  73. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb +42 -0
  74. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb +39 -0
  75. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb +43 -0
  76. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb +39 -0
  77. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb +43 -0
  78. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb +39 -0
  79. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb +43 -0
  80. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb +42 -0
  81. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb +43 -0
  82. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb +27 -0
  83. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +47 -0
  84. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb +45 -0
  85. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +47 -0
  86. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb +15 -0
  87. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb +45 -0
  88. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +45 -0
  89. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb +44 -0
  90. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb +46 -0
  91. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb +17 -0
  92. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb +36 -0
  93. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb +36 -0
  94. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb +35 -0
  95. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb +36 -0
  96. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb +43 -0
  97. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb +19 -0
  98. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb +43 -0
  99. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb +44 -0
  100. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb +43 -0
  101. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb +42 -0
  102. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb +43 -0
  103. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb +19 -0
  104. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +49 -0
  105. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb +44 -0
  106. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb +48 -0
  107. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +47 -0
  108. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb +17 -0
  109. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb +33 -0
  110. data/lib/udap_security_test_kit/well_known_endpoint_test.rb +4 -0
  111. data/lib/udap_security_test_kit.rb +10 -0
  112. metadata +85 -4
data/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv ADDED
@@ -0,0 +1,146 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Conditionality,Not Tested Reason,Not Tested Details,UDAP Security Client Short ID(s),UDAP Security Client Full ID(s)
2
+ hl7.fhir.us.udap-security_1.0.0,1,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: SHALL conform to the mandatory requirements of [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
3
+ hl7.fhir.us.udap-security_1.0.0,2,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be JSON Web Signatures conforming to the mandatory requirements of [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
4
+ hl7.fhir.us.udap-security_1.0.0,3,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be serialized using JWS Compact Serialization as per [Section 7.1](https://datatracker.ietf.org/doc/html/rfc7515#section-7.1) of RFC 7515.,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
5
+ hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,5.02,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_crypto_algorithms_and_protocols
6
+ hl7.fhir.us.udap-security_1.0.0,5,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations **SHOULD** support `ES256`[as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)],SHOULD,"Server,Client",,,,"",""
7
+ hl7.fhir.us.udap-security_1.0.0,6,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,[Implementations] **MAY** support `ES384` and/or `RS384` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,MAY,"Server,Client",,,,"",""
8
+ hl7.fhir.us.udap-security_1.0.0,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
9
+ hl7.fhir.us.udap-security_1.0.0,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`. An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
10
+ hl7.fhir.us.udap-security_1.0.0,16,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"If a server returns a `404 Not Found` response to a `GET` request to the UDAP metadata endpoint, the client application SHOULD conclude that the server does not support UDAP workflows.",SHOULD,Client,,,,"",""
11
+ hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation
12
+ hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation
13
+ hl7.fhir.us.udap-security_1.0.0,60,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[A] client application MAY add the optional query parameter `community` to the metadata request URL described in [Section 2.1](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints) to indicate that it trusts certificates issued by the community identified by the parameter value.,MAY,Client,,,,"",""
14
+ hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,5.17,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_trust_community_query_parameters
15
+ hl7.fhir.us.udap-security_1.0.0,66,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
16
+ hl7.fhir.us.udap-security_1.0.0,67,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.,SHALL,Client,,,,"3.02, 3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
17
+ hl7.fhir.us.udap-security_1.0.0,69,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a `client_id`,MAY,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
18
+ hl7.fhir.us.udap-security_1.0.0,70,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Other [non-Confidential] client types SHOULD follow the manual registration processes for each Authorization Server.,SHOULD,Client,,,,"",""
19
+ hl7.fhir.us.udap-security_1.0.0,71,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"To register dynamically, the client application first [SHALL] construct ... a software statement as per [section 2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-2) of UDAP Dynamic Client Registration.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
20
+ hl7.fhir.us.udap-security_1.0.0,72,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL contain the required header elements specified in [Section 1.2.3](https://hl7.org/fhir/us/udap-security/STU1/index.html#jwt-headers) of this guide,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
21
+ hl7.fhir.us.udap-security_1.0.0,73,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL be signed by the client application operator using the signature algorithm identified in the `alg` header of the software statement,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
22
+ hl7.fhir.us.udap-security_1.0.0,74,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The software statement [sent during dynamic registration] SHALL be signed by the client application operator using ... the private key that corresponds to the public key listed in the client’s X.509 certificate identified in the`x5c` header of the software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
23
+ hl7.fhir.us.udap-security_1.0.0,75,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `iss` [is] `required` [and] SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the client's certificate included in the `x5c` JWT header,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
24
+ hl7.fhir.us.udap-security_1.0.0,76,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `sub` [is] `required`[and is the s]ame as `iss`.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
25
+ hl7.fhir.us.udap-security_1.0.0,77,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `aud` [is] `required`[and is the] Authorization Server's ""registration URL""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
26
+ hl7.fhir.us.udap-security_1.0.0,78,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `exp` [is] `required`[and is the] Expiration time integer for this software statement, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC). The exp time SHALL be no more than 5 minutes after the value of the iat claim.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
27
+ hl7.fhir.us.udap-security_1.0.0,79,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `exp`... SHALL be no more than 5 minutes after the value of the `iat` claim.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
28
+ hl7.fhir.us.udap-security_1.0.0,80,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `iat` [is] `required`[and is the] Issued time integer for this software statement, expressed in seconds since the ""Epoch""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
29
+ hl7.fhir.us.udap-security_1.0.0,81,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` [is] `required`[and is a] nonce string value that uniquely identifies this software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
30
+ hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration
31
+ hl7.fhir.us.udap-security_1.0.0,83,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `client_name` [is] `required`[and is a] string containing the human readable name of the client application,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
32
+ hl7.fhir.us.udap-security_1.0.0,84,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be present if grant_types includes `authorization_code`,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
33
+ hl7.fhir.us.udap-security_1.0.0,85,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be absent [if the `grant_types` claim does not include `authorization_code`].,SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification
34
+ hl7.fhir.us.udap-security_1.0.0,86,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `contacts` [is] `required`[and is the ] array of URI strings indicating how the data holder can contact the app operator regarding the application.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
35
+ hl7.fhir.us.udap-security_1.0.0,87,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `contacts` … SHALL contain at least one valid email address using the mailto scheme,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
36
+ hl7.fhir.us.udap-security_1.0.0,88,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri`... If `grant_types` includes ""authorization_code"", client applications SHALL include this field",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
37
+ hl7.fhir.us.udap-security_1.0.0,90,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri` … [t]he URL SHALL use the https scheme,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
38
+ hl7.fhir.us.udap-security_1.0.0,91,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration and populating t]he JWT claim `logo_uri` … [t]he URL SHALL ... reference a PNG, JPG, or GIF image file, e.g. ""https://myapp.example.com/MyApp.png""",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
39
+ hl7.fhir.us.udap-security_1.0.0,92,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `grant_types` [is] `required`[and SHALL include either ""authorization_code"" or ""client_credentials"" but not both. The value ""refresh_token"" SHALL NOT be present in the array unless ""authorization_code"" is also present.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
40
+ hl7.fhir.us.udap-security_1.0.0,93,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` [SHALL be present i]f `grant_types` contains ""authorization_code""",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
41
+ hl7.fhir.us.udap-security_1.0.0,94,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` ... SHALL have a fixed value of `[""code""]` [when populated].",SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
42
+ hl7.fhir.us.udap-security_1.0.0,95,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `response_types` [i]f `grant_types` [does not] contain ""authorization_code"", then this element ... SHALL be omitted.",SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification
43
+ hl7.fhir.us.udap-security_1.0.0,96,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration t]he JWT claim `token_endpoint_auth_method` [is] `required` [and SHALL contain] Fixed string value: ""private_key_jwt""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
44
+ hl7.fhir.us.udap-security_1.0.0,97,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `scope` [is] `required` [and SHALL contain] a space delimited list of scopes requested by the client application for use in subsequent requests.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
45
+ hl7.fhir.us.udap-security_1.0.0,99,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration] for client apps that also support the SMART App Launch framework: apps requesting the ""client_credentials"" grant type SHOULD request system scopes;",SHOULD,Client,,,,"",""
46
+ hl7.fhir.us.udap-security_1.0.0,100,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement for dynamic registration] for client apps that also support the SMART App Launch framework: ... apps requesting the ""authorization_code"" grant type SHOULD request user or patient scopes.",SHOULD,Client,,,,"",""
47
+ hl7.fhir.us.udap-security_1.0.0,101,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL match the uriName entry in the Subject Alternative Name extension of the client app operator’s X.509 certificate,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
48
+ hl7.fhir.us.udap-security_1.0.0,102,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL ... uniquely identify a single client app operator and application over time.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
49
+ hl7.fhir.us.udap-security_1.0.0,103,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the `aud` claim SHALL list the URL of the OAuth Server’s registration endpoint",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
50
+ hl7.fhir.us.udap-security_1.0.0,104,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, … the lifetime of the software statement (`exp` minus `iat`) SHALL be 5 minutes.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
51
+ hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration
52
+ hl7.fhir.us.udap-security_1.0.0,126,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#consumer-facing,"Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow,",SHALL,Client,,,,3,udap_security_client-udap_client_access_ac
53
+ hl7.fhir.us.udap-security_1.0.0,127,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,"Client applications SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
54
+ hl7.fhir.us.udap-security_1.0.0,128,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,"[When] The client constructs the request URI … the … parameter.. `response_type` [is] `required`[and the] value MUST be set to ""code""",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
55
+ hl7.fhir.us.udap-security_1.0.0,129,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,[When] The client constructs the request URI … the … parameter.. `client_id` [is] `required`… [and is t]he client identifier as described in [Section 2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2).,SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
56
+ hl7.fhir.us.udap-security_1.0.0,130,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope.,MAY,Client,,,,"",""
57
+ hl7.fhir.us.udap-security_1.0.0,132,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,[S]ervers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Client,,,,"",""
58
+ hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage
59
+ hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_oauth2_protocol_compliance
60
+ hl7.fhir.us.udap-security_1.0.0,140,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token,"Client applications SHALL exchange authorization codes for access tokens as per [Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) of RFC 6749,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
61
+ hl7.fhir.us.udap-security_1.0.0,141,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When] the client makes a request to the token endpoint… the `grant_type` [parameter is] `REQUIRED`[and the] Value MUST be set to ""authorization_code""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
62
+ hl7.fhir.us.udap-security_1.0.0,142,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `code` [parameter is] `REQUIRED`[and is] the authorization code received from the authorization server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
63
+ hl7.fhir.us.udap-security_1.0.0,143,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When t]he client makes a request to the token endpoint… the `redirect_uri` [parameter is] `REQUIRED`...if the ""redirect_uri"" parameter was included in the authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their values MUST be identical.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
64
+ hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication
65
+ hl7.fhir.us.udap-security_1.0.0,145,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
66
+ hl7.fhir.us.udap-security_1.0.0,151,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
67
+ hl7.fhir.us.udap-security_1.0.0,152,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
68
+ hl7.fhir.us.udap-security_1.0.0,153,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests]the `iss` parameter [is] `required` [and is t]he application's `client_id` as assigned by the Authorization Server during the registration process,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
69
+ hl7.fhir.us.udap-security_1.0.0,154,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `sub` parameter [is] `required` [and is t]he application's `client_id` as assigned by the Authorization Server during the registration process,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
70
+ hl7.fhir.us.udap-security_1.0.0,155,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `aud` parameter [is] `required` [and is] the FHIR Authorization Server's token endpoint URL,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
71
+ hl7.fhir.us.udap-security_1.0.0,156,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `exp` parameter [is] `required` [and is the e]xpiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC)",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
72
+ hl7.fhir.us.udap-security_1.0.0,157,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `iat` parameter [is] `required` [and is the i]ssued time integer for this authentication JWT, expressed in seconds since the ""Epoch""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
73
+ hl7.fhir.us.udap-security_1.0.0,158,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `jti` parameter [is] `required` [and is a] nonce string value that uniquely identifies this authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
74
+ hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter... SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_jti_reuse_prevention
75
+ hl7.fhir.us.udap-security_1.0.0,160,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of `exp` minus the value of `iat` SHALL NOT exceed 300 seconds.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
76
+ hl7.fhir.us.udap-security_1.0.0,161,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,The Authentication Token SHALL be signed and serialized using the JSON compact serialization method..,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
77
+ hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_oauth2_protocol_compliance
78
+ hl7.fhir.us.udap-security_1.0.0,163,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client applications authenticating with a private key and Authentication Token as per Section [4.2.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the [token request]... parameters as per Section 5.1 of UDAP JWT-Based Client Authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
79
+ hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication
80
+ hl7.fhir.us.udap-security_1.0.0,165,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `grant_type` [parameter is] `required`[and SHALL contain the f]ixed value: `authorization_code`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
81
+ hl7.fhir.us.udap-security_1.0.0,166,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `code` [parameter is] `required`[and SHALL contain the] code that the app received from the Authorization Server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
82
+ hl7.fhir.us.udap-security_1.0.0,167,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"[When authenticating with a private key and Authentication Token] the `redirect_uri` [parameter is] `conditional`… SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
83
+ hl7.fhir.us.udap-security_1.0.0,168,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `redirect_uri` values SHALL be identical [with those sent on the authorization request].,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
84
+ hl7.fhir.us.udap-security_1.0.0,169,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `client_assertion_type` [parameter is] `required`[and SHALL contain the] fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
85
+ hl7.fhir.us.udap-security_1.0.0,170,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `client_assertion` [parameter is] `required`[and SHALL contain the] signed Authentication Token JWT,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
86
+ hl7.fhir.us.udap-security_1.0.0,171,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `udap` [parameter is] `required`[and SHALL contain a f]ixed value: 1,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
87
+ hl7.fhir.us.udap-security_1.0.0,175,https://www.udap.org/udap-jwt-client-auth.html,[For the Authorization Server to validate the Client App’s request] the Client MUST include its own certificate [in the x5c parameter of the JOSE header on AnTs in token requests],SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
88
+ hl7.fhir.us.udap-security_1.0.0,177,https://www.udap.org/udap-jwt-client-auth.html,"[When validating the Client App’s request t]he iss and sub values MUST correspond to a registered client ID that is permitted to authenticate using an AnT and whose registration is bound to a uniformResourceIdentifier entry in the Subject Alternative Names extension of the Client’s certificate, e.g. via UDAP Dynamic Client Registration",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
89
+ hl7.fhir.us.udap-security_1.0.0,178,https://www.udap.org/udap-jwt-client-auth.html,"[When validating the Client App’s request] If the request contains a client_id parameter, the client_id value MUST match the iss and sub values",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
90
+ hl7.fhir.us.udap-security_1.0.0,179,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] The aud value MUST contain the AS’s token endpoint URI,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
91
+ hl7.fhir.us.udap-security_1.0.0,180,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] the AnT MUST be unexpired.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
92
+ hl7.fhir.us.udap-security_1.0.0,181,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] A maximum AnT lifetime of 5 minutes is RECOMMENDED,SHOULD,Client,,,,"",""
93
+ hl7.fhir.us.udap-security_1.0.0,185,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,B2B client applications registered to use the authorization code grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow described in [Section 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) of RFC 6749,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
94
+ hl7.fhir.us.udap-security_1.0.0,186,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,Client applications registered to use the client credentials grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 client credentials grant flow described in [Section 4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) of RFC 6749,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
95
+ hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
96
+ hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage
97
+ hl7.fhir.us.udap-security_1.0.0,192,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,"The client SHALL use its private key to sign an Authentication Token..., and include this JWT in the `client_assertion` parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in [Section 5.2.2](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request) of this guide",SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
98
+ hl7.fhir.us.udap-security_1.0.0,193,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `sub` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
99
+ hl7.fhir.us.udap-security_1.0.0,194,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `aud` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
100
+ hl7.fhir.us.udap-security_1.0.0,195,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `exp` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
101
+ hl7.fhir.us.udap-security_1.0.0,196,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `iat` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
102
+ hl7.fhir.us.udap-security_1.0.0,197,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `jti` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
103
+ hl7.fhir.us.udap-security_1.0.0,198,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and] The HL7 B2B Authorization Extension Object ...is required for B2B client apps using the client_credentials flow,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
104
+ hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
105
+ hl7.fhir.us.udap-security_1.0.0,202,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `version` [is] `required` [with a] String with fixed value: ""1""",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
106
+ hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
107
+ hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
108
+ hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
109
+ hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
110
+ hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
111
+ hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
112
+ hl7.fhir.us.udap-security_1.0.0,210,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` [and is a] string containing the human readable name of the organizational requestor. If a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"",""
113
+ hl7.fhir.us.udap-security_1.0.0,211,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` … if a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"",""
114
+ hl7.fhir.us.udap-security_1.0.0,212,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] SHALL be a Uniform Resource Identifier (URI).,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
115
+ hl7.fhir.us.udap-security_1.0.0,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client,Trust Community",,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
116
+ hl7.fhir.us.udap-security_1.0.0,214,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required`... If a URL is used, the issuer SHALL include a URL that is resolvable by the receiving party.",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
117
+ hl7.fhir.us.udap-security_1.0.0,215,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `purpose_of_use` [is] `required`.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
118
+ hl7.fhir.us.udap-security_1.0.0,217,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_policy` [is] `optional`[and SHALL contain] an array of one or more strings, each containing a URI identifiying a privacy consent directive policy or other policy consistent with the value of the purpose_of_use parameter.",MAY,Client,,,,"",""
119
+ hl7.fhir.us.udap-security_1.0.0,218,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and SHALL contain a]n array of one or more strings, each containing an absolute URL consistent with a [literal reference](https://www.hl7.org/fhir/R4/references.html#literal) to a FHIR [Consent](https://www.hl7.org/fhir/R4/consent.html) or [DocumentReference](https://www.hl7.org/fhir/R4/documentreference.html) resource containing or referencing a privacy consent directive relevant to a purpose identified by the `purpose_of_use` parameter and the policy or policies identified by the `consent_policy` parameter.",MAY,Client,,,,"",""
120
+ hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
121
+ hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
122
+ hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ... Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
123
+ hl7.fhir.us.udap-security_1.0.0,222,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request,Client applications using the authorization code grant and authenticating with a private key and Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
124
+ hl7.fhir.us.udap-security_1.0.0,223,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.2 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
125
+ hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication
126
+ hl7.fhir.us.udap-security_1.0.0,225,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `grant_type` parameter [is] `required` [and SHALL contain f]ixed value: `client_credentials`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
127
+ hl7.fhir.us.udap-security_1.0.0,226,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion_type` parameter [is] `required` [and SHALL contain f]ixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
128
+ hl7.fhir.us.udap-security_1.0.0,227,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion` parameter [is] `required` [and SHALL contain] the signed Authentication Token JWT,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
129
+ hl7.fhir.us.udap-security_1.0.0,228,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `udap` parameter [is] `required` [and SHALL contain] fixed value: `1`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
130
+ hl7.fhir.us.udap-security_1.0.0,231,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Client apps that have been issued refresh tokens MAY make refresh requests to the token endpoint as per [Section 6 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-6).,MAY,Client,,,,"",""
131
+ hl7.fhir.us.udap-security_1.0.0,232,https://datatracker.ietf.org/doc/html/rfc6749#section-6,"[When requesting a refresh token] the `grant_type` [parameter is] REQUIRED [and the ] Value MUST be set to ""refresh_token""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
132
+ hl7.fhir.us.udap-security_1.0.0,233,https://datatracker.ietf.org/doc/html/rfc6749#section-7,[When requesting a refresh token] the `refresh_token` [parameter is] REQUIRED [and is ] The refresh token issued to the client,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
133
+ hl7.fhir.us.udap-security_1.0.0,234,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,"Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests [i.e., include the client_assertion_type and client_assertion fields as in the token request]",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
134
+ hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,5.03,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_supports_scopes
135
+ hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp
136
+ hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp
137
+ hl7.fhir.us.udap-security_1.0.0,244,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[When authenticating the user a] client app that receives an error code of `invalid_idp` MAY attempt to obtain authorization again by specifying a different IdP base URL in the `idp` authorization request parameter, or by making a new authorization request without using the Tiered OAuth workflow.",MAY,Client,,,,"",""
138
+ hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,5.14,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_data_holder_auth_request_scope
139
+ hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,5.15,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_authentication_compliance
140
+ hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,5.16,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality
141
+ hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection
142
+ hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10),SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection
143
+ hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection
144
+ hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication
145
+ hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_resource_holder_token_endpoint_authentication
146
+ hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,5.16,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality