RubyGems - udap_security_test_kit - Versions diffs - 0.11.5 → 0.12.0 - Mend

udap_security_test_kit 0.11.5 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

data/lib/udap_security_test_kit/udap_certifications_required_field_test.rb CHANGED Viewed

@@ -15,6 +15,9 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
     output :udap_certifications_required
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@34',
+                          'hl7.fhir.us.udap-security_1.0.0@35'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/udap_certifications_supported_field_test.rb CHANGED Viewed

@@ -13,6 +13,8 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@33'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/udap_profiles_supported_field_test.rb CHANGED Viewed

@@ -20,6 +20,11 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@23',
+                          'hl7.fhir.us.udap-security_1.0.0@24',
+                          'hl7.fhir.us.udap-security_1.0.0@25',
+                          'hl7.fhir.us.udap-security_1.0.0@26'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/udap_versions_supported_field_test.rb CHANGED Viewed

@@ -11,6 +11,8 @@ module UDAPSecurityTestKit
     input :udap_well_known_metadata_json
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@22'
     run do
       assert_valid_json(udap_well_known_metadata_json)
       config = JSON.parse(udap_well_known_metadata_json)

data/lib/udap_security_test_kit/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module UDAPSecurityTestKit
-  VERSION = '0.11.5'.freeze
-  LAST_UPDATED = '2025-05-14'.freeze
+  VERSION = '0.12.0'.freeze
+  LAST_UPDATED = '2025-07-21'.freeze
 end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb ADDED Viewed

@@ -0,0 +1,77 @@
+module UDAPSecurityTestKit
+  class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test
+    title 'Complies with requirements for the B2B Flow and Authorization Extension Object'
+    id :udap_security_b2b_authorization_extension_object
+    description %(
+      Client application complies with requirements for the B2B Flow and Authorization Extension Object and:
+      - Includes `subject_name` parameter if it is known for human or non-human requestors.
+      - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present.
+      - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm.
+      - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party.
+      - Omits `consent_reference` if `consent_policy` is not present.
+      - Ensures that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.
+      - Omits the `extensions` claim for client apps using the `authorization_code` flow.
+      - Includes the `subject_role` value if known for human requestors when the `subject_name` parameter is
+        present, and for US Realm, uses values/formats constrained by trust communities (preferably from the
+        NUCC Provider Taxonomy Code Set).
+      - Includes the `organization_id` value, using a URI scheme defined by the trust community.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@187',
+                          'hl7.fhir.us.udap-security_1.0.0@199',
+                          'hl7.fhir.us.udap-security_1.0.0@203',
+                          'hl7.fhir.us.udap-security_1.0.0@204',
+                          'hl7.fhir.us.udap-security_1.0.0@205',
+                          'hl7.fhir.us.udap-security_1.0.0@206',
+                          'hl7.fhir.us.udap-security_1.0.0@207',
+                          'hl7.fhir.us.udap-security_1.0.0@208',
+                          'hl7.fhir.us.udap-security_1.0.0@213',
+                          'hl7.fhir.us.udap-security_1.0.0@219',
+                          'hl7.fhir.us.udap-security_1.0.0@220',
+                          'hl7.fhir.us.udap-security_1.0.0@221'
+    input :b2b_authorization_extension_object_compliance,
+          title: 'Complies with requirements for the B2B Flow and Authorization Extension Object',
+          description: %(
+            I attest that the client application complies with requirements for the B2B Flow and Authorization
+            Extension Object and:
+            - Includes `subject_name` parameter if it is known for human or non-human requestors.
+            - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present.
+            - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the
+              US Realm.
+            - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party.
+            - Omits `consent_reference` if `consent_policy` is not present.
+            - Ensures that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.
+            - Omits the `extensions` claim for client apps using the `authorization_code` flow.
+            - Includes the `subject_role` value if known for human requestors when the `subject_name` parameter is
+              present, and for US Realm, uses values/formats constrained by trust communities (preferably from the
+              NUCC Provider Taxonomy Code Set).
+            - Includes the `organization_id` value, using a URI scheme defined by the trust community.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :b2b_authorization_extension_object_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert b2b_authorization_extension_object_compliance == 'true',
+             'Client application did not comply with requirements for the B2B Authorization Extension Object.'
+      if b2b_authorization_extension_object_compliance_note.present?
+        pass b2b_authorization_extension_object_compliance_note
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb ADDED Viewed

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test
+    title 'Uses authorization code correctly'
+    id :udap_security_client_auth_code_usage
+    description %(
+      Client application uses the authorization code correctly by:
+      - Ensuring the authorization code is not used more than once.
+      - Requesting an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
+        of RFC 6749.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@136',
+                          'hl7.fhir.us.udap-security_1.0.0@188'
+    input :authorization_code_usage_correctly,
+          title: 'Uses authorization code correctly',
+          description: %(
+            I attest that the client application uses the authorization code correctly by:
+            - Ensuring the authorization code is not used more than once.
+            - Requesting an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
+              of RFC 6749.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :authorization_code_usage_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert authorization_code_usage_correctly == 'true',
+             'Client application did not demonstrate correct usage of the authorization code.'
+      pass authorization_code_usage_correctly_note if authorization_code_usage_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb ADDED Viewed

@@ -0,0 +1,50 @@
+module UDAPSecurityTestKit
+  class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test
+    title 'Complies with Client Security and CSRF Protection'
+    id :udap_security_client_security_csrf_protection
+    description %(
+      Client applications complies with the requirements for Client Security and CSRF Protection:
+      - Implements CSRF protection for its redirection URI.
+      - Uses a binding value for CSRF protection that contains a non-guessable value.
+      - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by
+        the same-origin policy.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@275',
+                          'hl7.fhir.us.udap-security_1.0.0@276',
+                          'hl7.fhir.us.udap-security_1.0.0@277'
+    input :csrf_protection_implementation,
+          title: 'Complies with the requirements for Client Security and CSRF Protection',
+          description: %(
+            I attest that the client application complies with the requirements for Client Security and CSRF Protection:
+            - Implements CSRF protection for its redirection URI.
+            - Uses a binding value for CSRF protection that contains a non-guessable value.
+            - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by
+              the same-origin policy.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :csrf_protection_implementation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert csrf_protection_implementation == 'true',
+             'Client application did not comply with the requirements for Client Security and CSRF Protection.'
+      pass csrf_protection_implementation_note if csrf_protection_implementation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb ADDED Viewed

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class CryptographicAlgorithmsAndSecurityProtocolsAttestationTest < Inferno::Test
+    title 'supports the RS256 signature algorithm'
+    id :udap_security_crypto_algorithms_and_protocols
+    description %(
+      Client application supports the RS256 signature algorithm as defined in as defined in
+      [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) for UDAP workflows.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@4'
+    input :crypto_algorithms_and_protocols_compliance,
+          title: 'Supports the RS256 signature algorithm',
+          description: %(
+            I attest that the client application supports the RS256 signature algorithm as defined in as defined in
+            [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) for UDAP workflows.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :crypto_algorithms_and_protocols_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert crypto_algorithms_and_protocols_compliance == 'true',
+             'Client application did not comply with cryptographic algorithms and security protocols requirements
+              (RS256 support).'
+      pass crypto_algorithms_and_protocols_compliance_note if crypto_algorithms_and_protocols_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb ADDED Viewed

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class DataHolderAuthRequestScopeAttestationTest < Inferno::Test
+    title 'Data Holder Authentication Request Contains `openid` and `udap` Scopes'
+    id :udap_security_data_holder_auth_request_scope
+    description %(
+      Data holder's authentication request to the Identity Provider includes both
+      `openid` and `udap` in the `scope` query parameter.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@256'
+    input :auth_request_scope_contains_openid_udap,
+          title: 'Authentication request `scope` contains `openid` and `udap`',
+          description: %(
+            I attest that the data holder's authentication request to the Identity Provider includes both
+            `openid` and `udap` in the `scope` query parameter.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :auth_request_scope_contains_openid_udap_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert auth_request_scope_contains_openid_udap == 'true',
+             'Authentication request did not include both `openid` and `udap` in the `scope` query parameter.'
+      pass auth_request_scope_contains_openid_udap_note if auth_request_scope_contains_openid_udap_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb ADDED Viewed

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class IdPAuthenticationComplianceAttestationTest < Inferno::Test
+    title 'Identity Provider Authenticates User per OIDC Core and UDAP Tiered OAuth'
+    id :udap_security_idp_authentication_compliance
+    description %(
+      The Identity Provider authenticates the user according to
+      [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)
+      and Sections 4.1 - 4.2 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@257'
+    input :idp_authenticates_per_spec,
+          title: 'IdP authenticates user per OIDC Core and UDAP Tiered OAuth',
+          description: %(
+            I attest that the Identity Provider authenticates the user according to
+            [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)
+            and Sections 4.1 - 4.2 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_authenticates_per_spec_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert idp_authenticates_per_spec == 'true',
+             'Identity Provider did not authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications.'
+      pass idp_authenticates_per_spec_note if idp_authenticates_per_spec_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb ADDED Viewed

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class IdPSupportsRequiredScopesAttestationTest < Inferno::Test
+    title 'Supports required scopes in IdPs'
+    id :udap_security_idp_supports_scopes
+    description %(
+        Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned
+        for the `scopes_supported` parameter.
+      )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235'
+    input :idp_supports_required_scopes,
+          title: 'Supports required scopes',
+          description: %(
+              I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned
+              for the `scopes_supported` parameter.
+            ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_supports_required_scopes_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert idp_supports_required_scopes == 'true',
+             'Identity Provider (IdP) did not demonstrate support for required scopes.'
+      pass idp_supports_required_scopes_note if idp_supports_required_scopes_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb ADDED Viewed

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class JTIReusePreventionAttestationTest < Inferno::Test
+    title 'Prevents reuse of JTI values in authentication tokens'
+    id :udap_security_jti_reuse_prevention
+    description %(
+      Client application prevents reuse of JTI values in authentication tokens by:
+      - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified
+        in the `exp` claim has passed.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159'
+    input :jti_reuse_prevention_correctly,
+          title: 'Prevents reuse of JTI values in authentication tokens',
+          description: %(
+            I attest that the client application prevents reuse of JTI values in authentication tokens by:
+            - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified
+              in the `exp` claim has passed.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :jti_reuse_prevention_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert jti_reuse_prevention_correctly == 'true',
+             'Client application did not demonstrate prevention of JTI reuse in authentication tokens.'
+      pass jti_reuse_prevention_correctly_note if jti_reuse_prevention_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb ADDED Viewed

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class MetadataInterpretationAttestationTest < Inferno::Test
+    title 'Interprets metadata correctly'
+    id :udap_security_metadata_interpretation
+    description %(
+      Client application interprets metadata correctly by:
+      - Interpreting an empty array value in metadata as indicating that the corresponding capability is
+        NOT supported by the server.
+      - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@20',
+                          'hl7.fhir.us.udap-security_1.0.0@21'
+    input :interprets_metadata_correctly,
+          title: 'Interprets metadata correctly',
+          description: %(
+            I attest that the client application interprets metadata correctly by:
+            - Interpreting an empty array value in metadata as indicating that the corresponding capability is
+              NOT supported by the server.
+            - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :interprets_metadata_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert interprets_metadata_correctly == 'true',
+             'Client application did not demonstrate correct interpretation of metadata.'
+      pass interprets_metadata_correctly_note if interprets_metadata_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb ADDED Viewed

@@ -0,0 +1,50 @@
+module UDAPSecurityTestKit
+  class OAuth2ProtocolComplianceAttestationTest < Inferno::Test
+    title 'Complies with OAuth 2.0 Protocol Requirements'
+    id :udap_security_oauth2_protocol_compliance
+    description %(
+      Client application complies with OAuth 2.0 protocol requirements:
+      - Ignores unrecognized response parameters in the authorization response when receiveing an response to an
+        authorization request.
+      - Follows the token request and response protocol as defined in RFC 6749 Sections 4.1.3 and 4.1.4 when
+        authenticating with a shared secret.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@139',
+                          'hl7.fhir.us.udap-security_1.0.0@162'
+    input :oauth2_protocol_compliance,
+          title: 'Complies with OAuth 2.0 Protocol Requirements',
+          description: %(
+            I attest that the client application complies with OAuth 2.0 protocol requirements:
+            - Ignores unrecognized response parameters in the authorization response when receiveing an response to an
+              authorization request.
+            - Follows the token request and response protocol as defined in RFC 6749 Sections 4.1.3 and 4.1.4 when
+              authenticating with a shared secret.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :oauth2_protocol_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert oauth2_protocol_compliance == 'true',
+             'Client application did not comply with OAuth 2.0 protocol requirements.'
+      pass oauth2_protocol_compliance_note if oauth2_protocol_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb ADDED Viewed

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class PreferredIdentityProviderAttestationTest < Inferno::Test
+    title 'Indicates preferred Identity Provider'
+    id :udap_security_preferred_idp
+    description %(
+      Client application indicates the preferred Identity Provider (IdP) to the data holder by:
+      - Adding `udap` to the list of scopes provided in the `scope` query parameter.
+      - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236',
+                          'hl7.fhir.us.udap-security_1.0.0@237'
+    input :indicates_preferred_idp,
+          title: 'Indicates preferred Identity Provider',
+          description: %(
+            I attest that the client application indicates the preferred Identity Provider (IdP) to the data holder by:
+            - Adding `udap` to the list of scopes provided in the `scope` query parameter.
+            - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :indicates_preferred_idp_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert indicates_preferred_idp == 'true',
+             'Client application did not demonstrate correct indication of the preferred Identity Provider.'
+      pass indicates_preferred_idp_note if indicates_preferred_idp_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb ADDED Viewed

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class PrivateKeyAuthenticationAttestationTest < Inferno::Test
+    title 'Uses private key authentication correctly'
+    id :udap_security_private_key_authentication
+    description %(
+      Client application uses private key authentication correctly as per
+      Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) by:
+      - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating
+        with a private key and Authentication Token.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@164',
+                          'hl7.fhir.us.udap-security_1.0.0@224'
+    input :private_key_authentication_correctly,
+          title: 'Uses private key authentication correctly',
+          description: %(
+            I attest that the client application uses private key authentication correctly as per
+            Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) by:
+            - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating
+              with a private key and Authentication Token.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :private_key_authentication_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+    run do
+      assert private_key_authentication_correctly == 'true',
+             'Client application did not demonstrate correct private key authentication.'
+      pass private_key_authentication_correctly_note if private_key_authentication_correctly_note.present?
+    end
+  end
+end