udap_security_test_kit 0.11.5 → 0.12.0

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb

@@ -0,0 +1,38 @@
+module UDAPSecurityTestKit
+  class NoClientCredentialsForNativeAppsAttestationTest < Inferno::Test
+    title 'Does not issue client credentials to native/user-agent-based apps'
+    id :udap_security_no_client_credentials_native_apps
+    description %(
+      The Authorization Server does not issue client passwords or other client
+      credentials to native application or user-agent-based application clients for the
+      purpose of client authentication.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@287'
+
+    input :no_client_credentials_native_apps_correct,
+          title: 'Client Authentication: Does not issue client credentials to native/user-agent-based apps',
+          description: %(
+            I attest that the Authorization Server does not issue client passwords or other client
+            credentials to native application or user-agent-based application clients for the
+            purpose of client authentication.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :no_client_credentials_native_apps_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert no_client_credentials_native_apps_correct == 'true',
+             'Authorization Server issues client credentials to native or user-agent-based application clients.'
+      pass no_client_credentials_native_apps_note if no_client_credentials_native_apps_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb

@@ -0,0 +1,13 @@
+require_relative 'client_authentication_group/client_certificate_storage_test'
+require_relative 'client_authentication_group/no_client_credentials_native_apps_test'
+
+module UDAPSecurityTestKit
+  class ClientAuthenticationGroup < Inferno::TestGroup
+    id :udap_server_v100_client_authentication_group
+    title 'Client Authentication and Credential Management'
+
+    run_as_group
+    test from: :udap_security_client_certificate_storage
+    test from: :udap_security_no_client_credentials_native_apps
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class CertificationHandlingAttestationTest < Inferno::Test
+    title 'Handles certifications correctly'
+    id :udap_security_certification_handling
+    description %(
+      The Authorization Server handles certifications correctly:
+      - Ignores unsupported or unrecognized certifications.
+      - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@116',
+                          'hl7.fhir.us.udap-security_1.0.0@118'
+
+    input :certification_handling_correct,
+          title: 'Dynamic Client Registration: Handles certifications correctly',
+          description: %(
+            I attest that the Authorization Server handles certifications correctly:
+            - Ignores unsupported or unrecognized certifications.
+            - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :certification_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert certification_handling_correct == 'true',
+             'Authorization Server did not handle certifications correctly.'
+      pass certification_handling_note if certification_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class ClientIDModificationAttestationTest < Inferno::Test
+    title 'Handles client ID modification correctly'
+    id :udap_security_client_id_modification
+    description %(
+      Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id`
+      in response to a registration modification request.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@121'
+
+    input :client_id_modification_correct,
+          title: 'Dynamic Client Registration: Handles client ID modification correctly',
+          description: %(
+            I attest that the Authorization Server cancels the registration for the previous `client_id` if it
+            returns a different `client_id` in response to a registration modification request.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :client_id_modification_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert client_id_modification_correct == 'true',
+             'Authorization Server did not handle client ID modification correctly.'
+      pass client_id_modification_note if client_id_modification_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb

@@ -0,0 +1,48 @@
+module UDAPSecurityTestKit
+  class DynamicClientRegistrationValidationAttestationTest < Inferno::Test
+    title 'Validates requests correctly'
+    id :udap_security_dynamic_client_registration_validation
+    description %(
+      The Authorization Server validates dynamic client registration requests by:
+      - Ensuring the `sub` value matches the `iss` value.
+      - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL.
+      - Ensuring the software statement is unexpired.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@107',
+                          'hl7.fhir.us.udap-security_1.0.0@108',
+                          'hl7.fhir.us.udap-security_1.0.0@109'
+
+    input :dynamic_client_registration_validation_correct,
+          title: 'Dynamic Client Registration: Validates requests correctly',
+          description: %(
+            I attest that the Authorization Server validates dynamic client registration requests by:
+            - Ensuring the `sub` value matches the `iss` value.
+            - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL.
+            - Ensuring the software statement is unexpired.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :dynamic_client_registration_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert dynamic_client_registration_validation_correct == 'true',
+             'Authorization Server did not validate dynamic client registration requests correctly.'
+      pass dynamic_client_registration_validation_note if dynamic_client_registration_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb

@@ -0,0 +1,15 @@
+require_relative 'dynamic_client_registration_group/certification_handling_test'
+require_relative 'dynamic_client_registration_group/client_id_modification_test'
+require_relative 'dynamic_client_registration_group/dynamic_client_registration_validation_test'
+
+module UDAPSecurityTestKit
+  class DynamicClientRegistrationAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_dynamic_client_registration_group
+    title 'Dynamic Client Registration'
+
+    run_as_group
+    test from: :udap_security_dynamic_client_registration_validation
+    test from: :udap_security_certification_handling
+    test from: :udap_security_client_id_modification
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class DenyTokenRequestAttestationTest < Inferno::Test
+    title 'Denies token request that cannot be validated from x5c parameter'
+    id :udap_security_deny_token_request
+    description %(
+      Authorization Server denies the token request if:
+      - JWT signature cannot be validated using the public key from the x5c parameter.
+      - A trusted certificate chain cannot be built and validated from the x5c parameter.
+      - Required parameter is missing or a parameter is invalid.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@174',
+                          'hl7.fhir.us.udap-security_1.0.0@176',
+                          'hl7.fhir.us.udap-security_1.0.0@183'
+
+    input :deny_token_request,
+          title: 'Error Handling: Denies token request that cannot be validated from x5c parameter',
+          description: %(
+            I attest that the Authorization Server denies the token request if:
+            - JWT signature cannot be validated using the public key from the x5c parameter.
+            - A trusted certificate chain cannot be built and validated from the x5c parameter.
+            - Required parameter is missing or a parameter is invalid.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :deny_token_request_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert deny_token_request == 'true',
+             'Authorization Server does not deny the token request when parameter(s) are invalid.'
+      pass deny_token_request_note if deny_token_request_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb

@@ -0,0 +1,39 @@
+module UDAPSecurityTestKit
+  class GeneralErrorResponseAttestationTest < Inferno::Test
+    title 'Returns error response on authentication request errors'
+    id :udap_security_general_error_response
+    description %(
+      Authorization Server returns an error response if it encounters any error while validating
+      an authentication request, as per
+      [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation).
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@264'
+
+    input :general_error_response_handling_correct,
+          title: 'Error Handling: Returns error response on authentication request errors',
+          description: %(
+            I attest that the Authorization Server returns an error response if it encounters any
+            error while validating an authentication request, as per
+            [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :general_error_response_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert general_error_response_handling_correct == 'true',
+             'Authorization Server does not return an error response when it encounters an error
+              while validating an authentication request.'
+      pass general_error_response_handling_note if general_error_response_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class InvalidIDTokenErrorAttestationTest < Inferno::Test
+    title 'Handles invalid ID token error correctly'
+    id :udap_security_invalid_id_token_error
+    description %(
+      Data Holder either returns an `invalid_idp` error code or attempts alternate authentication when the IdP
+      does not return an ID Token or validation fails.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@291'
+
+    input :invalid_id_token_error_handling_correct,
+          title: 'Error Handling: Handles invalid ID token error correctly',
+          description: %(
+            I attest that the Data Holder either returns an `invalid_idp` error code or attempts alternate
+            authentication when the IdP does not return an ID Token or validation fails.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :invalid_id_token_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert invalid_id_token_error_handling_correct == 'true',
+             'Data Holder does not return an `invalid_idp` error code or attempt alternate authentication
+              when the IdP does not return an ID Token or validation fails.'
+      pass invalid_id_token_error_handling_note if invalid_id_token_error_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb

@@ -0,0 +1,39 @@
+module UDAPSecurityTestKit
+  class InvalidIdpErrorAttestationTest < Inferno::Test
+    title 'Handles invalid_idp error correctly'
+    id :udap_security_invalid_idp_error
+    description %(
+      Data Holder returns an error response with the `invalid_idp` extension error code
+      when the IdP is rejected, as per
+      [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1).
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@241'
+
+    input :invalid_idp_error_handling_correct,
+          title: 'Error Handling: Handles invalid_idp error correctly',
+          description: %(
+            I attest that the Data Holder returns an error response with the `invalid_idp`
+            extension error code when the IdP is rejected, as per
+            [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :invalid_idp_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert invalid_idp_error_handling_correct == 'true',
+             'Data Holder does not return an error response with the `invalid_idp` extension error code when the
+              IdP is rejected.'
+      pass invalid_idp_error_handling_note if invalid_idp_error_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class InvalidRedirectionURIAttestationTest < Inferno::Test
+    title 'Handles invalid redirection URI correctly'
+    id :udap_security_invalid_redirection_uri
+    description %(
+      The Authorization Server does NOT redirect the user-agent to an invalid redirection URI when the request
+      fails due to a missing or invalid redirection URI.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@242'
+
+    input :invalid_redirection_uri_handling_correct,
+          title: 'Error Handling: Handles Invalid redirection URI correctly',
+          description: %(
+            I attest that the Authorization Server does NOT redirect the user-agent to an invalid redirection
+            URI when the request fails due to a missing or invalid redirection URI.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :invalid_redirection_uri_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert invalid_redirection_uri_handling_correct == 'true',
+             'Authorization Server redirects the user-agent to an invalid redirection URI when the
+              request fails due to a missing or invalid URI.'
+      pass invalid_redirection_uri_handling_note if invalid_redirection_uri_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb

@@ -0,0 +1,39 @@
+module UDAPSecurityTestKit
+  class PromptNoneErrorAttestationTest < Inferno::Test
+    title 'Returns error for prompt=none when user not authenticated'
+    id :udap_security_prompt_none_error
+    description %(
+      Authorization Server returns an error if the authentication request contains prompt=none
+      and the End-User is not already authenticated or could not be silently authenticated.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@267',
+                          'hl7.fhir.us.udap-security_1.0.0@268'
+
+    input :prompt_none_error_handling_correct,
+          title: 'Error Handling: Returns error for prompt=none when user not authenticated',
+          description: %(
+            I attest that the Authorization Server returns an error if the authentication
+            request contains prompt=none and the End-User is not already authenticated or
+            could not be silently authenticated.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :prompt_none_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert prompt_none_error_handling_correct == 'true',
+             'Authorization Server does not return an error for prompt=none when the End-User
+              is not authenticated or could not be silently authenticated.'
+      pass prompt_none_error_handling_note if prompt_none_error_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class StateMismatchErrorAttestationTest < Inferno::Test
+    title 'Handles state mismatch error correctly'
+    id :udap_security_state_mismatch_error
+    description %(
+      If the `state` parameter does NOT match, the Resource Holder MUST terminate the workflow and redirect with a
+      `server_error`.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@271'
+
+    input :state_mismatch_error_handling_correct,
+          title: 'Error Handling: State mismatch error is handled correctly',
+          description: %(
+            I attest that the Resource Holder terminates the workflow and redirects with a `server_error` when the
+            `state` parameter does NOT match.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :state_mismatch_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert state_mismatch_error_handling_correct == 'true',
+             'Resource Holder does not terminate the workflow or redirect with a `server_error` when the
+             `state` parameter does NOT match.'
+      pass state_mismatch_error_handling_note if state_mismatch_error_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class UnauthenticatedUserErrorAttestationTest < Inferno::Test
+    title 'Handles unauthenticated user error correctly'
+    id :udap_security_unauthenticated_user_error
+    description %(
+      Data Holder returns an `access_denied` error response when it cannot resolve the authenticated user.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@296'
+
+    input :unauthenticated_user_error_handling_correct,
+          title: 'Error Handling: Handles unauthenticated user error correctly',
+          description: %(
+            I attest that the Data Holder returns an `access_denied` error response when it cannot resolve
+            the authenticated user.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :unauthenticated_user_error_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert unauthenticated_user_error_handling_correct == 'true',
+             'Data Holder does not return an `access_denied` error response when it cannot resolve the
+              authenticated user.'
+      pass unauthenticated_user_error_handling_note if unauthenticated_user_error_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class ValidStateErrorResponseAttestationTest < Inferno::Test
+    title 'Handles valid state error correctly'
+    id :udap_security_valid_state_error_response
+    description %(
+      Resource Holder redirects with an `access_denied` error code when the `state` value is valid
+      on an error response.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@273'
+
+    input :valid_state_error_response_handling_correct,
+          title: 'Error Handling: Handles valid state error correctly',
+          description: %(
+            I attest that the Resource Holder redirects with an `access_denied` error code when the
+            `state` value is valid on an error response.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :valid_state_error_response_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert valid_state_error_response_handling_correct == 'true',
+             'Resource Holder does not redirect with an `access_denied` error code when the `state`
+              value is valid on an error response.'
+      pass valid_state_error_response_handling_note if valid_state_error_response_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb

@@ -0,0 +1,27 @@
+require_relative 'error_handling_group/deny_token_request_test'
+require_relative 'error_handling_group/general_error_response_test'
+require_relative 'error_handling_group/invalid_id_token_test'
+require_relative 'error_handling_group/invalid_idp_test'
+require_relative 'error_handling_group/invalid_redirection_uri_test'
+require_relative 'error_handling_group/prompt_none_test'
+require_relative 'error_handling_group/state_mismatch_test'
+require_relative 'error_handling_group/unauthenticated_user_test'
+require_relative 'error_handling_group/valid_state_error_response_test'
+
+module UDAPSecurityTestKit
+  class ErrorHandlingAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_error_handling_group
+    title 'Error Handling'
+
+    run_as_group
+    test from: :udap_security_invalid_idp_error
+    test from: :udap_security_invalid_id_token_error
+    test from: :udap_security_deny_token_request
+    test from: :udap_security_prompt_none_error
+    test from: :udap_security_invalid_redirection_uri
+    test from: :udap_security_state_mismatch_error
+    test from: :udap_security_unauthenticated_user_error
+    test from: :udap_security_valid_state_error_response
+    :udap_security_general_error_response
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class AccessTokenValidationAttestationTest < Inferno::Test
+    title 'Validates access token correctly'
+    id :udap_security_access_token_validation
+    description %(
+      Data Holder validates the Access Token as per the Access Token validation rules,
+      including:
+      - Verifying the token's integrity.
+      - Checking claims such as `exp` and other relevant attributes.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@283',
+                          'hl7.fhir.us.udap-security_1.0.0@290'
+
+    input :access_token_validation_correct,
+          title: 'ID Token and Access Token Validation: Validates access token correctly',
+          description: %(
+            I attest that the Data Holder validates the Access Token as per the Access Token validation rules,
+            including:
+            - Verifying the token's integrity.
+            - Checking claims such as `exp` and other relevant attributes.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :access_token_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert access_token_validation_correct == 'true',
+             'Access Token validation is not implemented correctly as per the Access Token validation rules.'
+      pass access_token_validation_note if access_token_validation_note.present?
+    end
+  end
+end