RubyGems - udap_security_test_kit - Versions diffs - 0.11.6 → 0.12.0 - Mend

udap_security_test_kit 0.11.6 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

data/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv CHANGED Viewed

@@ -2,16 +2,16 @@
 hl7.fhir.us.udap-security_1.0.0,1,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: SHALL conform to the mandatory requirements of [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,2,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be JSON Web Signatures conforming to the mandatory requirements of [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515).,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,3,https://hl7.org/fhir/us/udap-security/STU1/#general-requirements-and-serialization,All JSON Web Tokens (JWTs) defined in this [UDAP] guide: ... SHALL be serialized using JWS Compact Serialization as per [Section 7.1](https://datatracker.ietf.org/doc/html/rfc7515#section-7.1) of RFC 7515.,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
-hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,"",""
+hl7.fhir.us.udap-security_1.0.0,4,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations supporting the UDAP workflows defined in this guide **SHALL** support `RS256` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,SHALL,"Server,Client",,,,5.02,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_crypto_algorithms_and_protocols
 hl7.fhir.us.udap-security_1.0.0,5,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,Implementations **SHOULD** support `ES256`[as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)],SHOULD,"Server,Client",,,,"",""
 hl7.fhir.us.udap-security_1.0.0,6,https://hl7.org/fhir/us/udap-security/STU1/#signature-algorithm-identifiers,[Implementations] **MAY** support `ES384` and/or `RS384` [as defined in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)].,MAY,"Server,Client",,,,"",""
 hl7.fhir.us.udap-security_1.0.0,7,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value`alg` [is] `required`A string identifying the signature algorithm used to sign the JWT,SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,8,https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers,"All JWTs defined in this [UDAP] guide SHALL contain a Javascript Object Signing and Encryption (JOSE) header as defined in [Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4) of RFC 7515 [where] JWT header value `x5c`[is] `required`.  An array of one or more strings containing the X.509 certificate or certificate chain, where the leaf certificate corresponds to the key used to digitally sign the JWT. Each string in the array is the base64-encoded DER representation of the corresponding certificate, with the leaf certificate appearing as the first (or only) element of the array.",SHALL,"Server,Client",,,,"1.02, 2.02, 3.03, 4.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,16,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"If a server returns a `404 Not Found` response to a `GET` request to the UDAP metadata endpoint, the client application SHOULD conclude that the server does not support UDAP workflows.",SHOULD,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,20,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"For elements that are represented by JSON arrays, clients SHALL interpret an empty array value to mean that the corresponding capability is NOT supported by the server.",SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation
+hl7.fhir.us.udap-security_1.0.0,21,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[F]or the workflows defined in this guide, client applications SHALL use the applicable values returned in a server’s UDAP metadata.",SHALL,Client,,,,5.05,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_metadata_interpretation
 hl7.fhir.us.udap-security_1.0.0,60,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[A] client application MAY add the optional query parameter `community` to the metadata request URL described in [Section 2.1](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints) to indicate that it trusts certificates issued by the community identified by the parameter value.,MAY,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,61,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,[when a client adds the query parameter `community`] The value of the parameter SHALL be a URI as determined by the trust community for this purpose.,SHALL,Client,,,,5.17,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_trust_community_query_parameters
 hl7.fhir.us.udap-security_1.0.0,66,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,"Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,67,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.,SHALL,Client,,,,"3.02, 3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification, udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,69,https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration,Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a `client_id`,MAY,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
@@ -27,7 +27,7 @@ hl7.fhir.us.udap-security_1.0.0,78,https://hl7.org/fhir/us/udap-security/STU1/re
 hl7.fhir.us.udap-security_1.0.0,79,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `exp`... SHALL be no more than 5 minutes after the value of the `iat` claim.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,80,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"[When constructing the software statement  for dynamic registration t]he JWT claim `iat` [is] `required`[and is the] Issued time integer for this software statement, expressed in seconds since the ""Epoch""",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,81,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement  for dynamic registration t]he JWT claim `jti` [is] `required`[and is a] nonce string value that uniquely identifies this software statement.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
-hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement  for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,82,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement  for dynamic registration t]he JWT claim `jti` SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration
 hl7.fhir.us.udap-security_1.0.0,83,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `client_name` [is] `required`[and is a] string containing the human readable name of the client application,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,84,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be present if grant_types includes `authorization_code`,SHALL,Client,,,,1.02,udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification
 hl7.fhir.us.udap-security_1.0.0,85,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,[When constructing the software statement for dynamic registration t]he JWT claim `redirect_uris` … SHALL be absent [if the `grant_types` claim does not include `authorization_code`].,SHALL,Client,,,,2.02,udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification
@@ -48,20 +48,20 @@ hl7.fhir.us.udap-security_1.0.0,101,https://hl7.org/fhir/us/udap-security/STU1/r
 hl7.fhir.us.udap-security_1.0.0,102,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The unique client URI used for the iss claim SHALL ... uniquely identify a single client app operator and application over time.,SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,103,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the `aud` claim SHALL list the URL of the OAuth Server’s registration endpoint",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,104,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,"The software statement is intended for one-time use with a single OAuth 2.0 server. As such, …  the lifetime of the software statement (`exp` minus `iat`) SHALL be 5 minutes.",SHALL,Client,,,,"1.02, 2.02","udap_security_client-udap_client_registration_ac-udap_client_registration_ac_verification, udap_security_client-udap_client_registration_cc-udap_client_registration_cc_verification"
-hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,123,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,A client application SHALL interpret a registration response that contains an empty `grant_types`array as a confirmation that the registration for the `client_id` listed in the response has been cancelled by the Authorization Server.,SHALL,Client,,,,5.11,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_software_statement_registration
 hl7.fhir.us.udap-security_1.0.0,126,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#consumer-facing,"Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow,",SHALL,Client,,,,3,udap_security_client-udap_client_access_ac
 hl7.fhir.us.udap-security_1.0.0,127,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,"Client applications SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
 hl7.fhir.us.udap-security_1.0.0,128,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,"[When] The client constructs the request URI … the … parameter.. `response_type` [is] `required`[and the] value MUST be set to ""code""",SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
 hl7.fhir.us.udap-security_1.0.0,129,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1,[When] The client constructs the request URI … the … parameter.. `client_id` [is] `required`… [and is t]he client identifier as described in [Section 2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2).,SHALL,Client,,,,3.02,udap_security_client-udap_client_access_ac-udap_client_authorization_request_verification
 hl7.fhir.us.udap-security_1.0.0,130,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope.,MAY,Client,,,,"",""
 hl7.fhir.us.udap-security_1.0.0,132,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,[S]ervers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,136,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,If the resource owner grants the access request… The client MUST NOT use the authorization code more than once.,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage
+hl7.fhir.us.udap-security_1.0.0,139,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When receiveing an response to an authorization request t]he client MUST ignore unrecognized response parameters.,SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_oauth2_protocol_compliance
 hl7.fhir.us.udap-security_1.0.0,140,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-access-token,"Client applications SHALL exchange authorization codes for access tokens as per [Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) of RFC 6749,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,141,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When] the client makes a request to the token endpoint… the `grant_type` [parameter is] `REQUIRED`[and the] Value MUST be set to ""authorization_code""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,142,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `code` [parameter is] `REQUIRED`[and is] the authorization code received from the authorization server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,143,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When t]he client makes a request to the token endpoint… the `redirect_uri` [parameter is] `REQUIRED`...if the ""redirect_uri"" parameter was included in the authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their values MUST be identical.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
-hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,144,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When t]he client makes a request to the token endpoint… the `client_id` [parameter is] `REQUIRED`...if the client is not authenticating with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).,SHALL,Client,,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication
 hl7.fhir.us.udap-security_1.0.0,145,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1).",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,151,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,152,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
@@ -71,12 +71,12 @@ hl7.fhir.us.udap-security_1.0.0,155,https://hl7.org/fhir/us/udap-security/STU1/c
 hl7.fhir.us.udap-security_1.0.0,156,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `exp` parameter [is] `required` [and is the e]xpiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC)",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,157,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `iat` parameter [is] `required` [and is the i]ssued time integer for this authentication JWT, expressed in seconds since the ""Epoch""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,158,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` element of token requests] … the `jti` parameter [is] `required` [and is a] nonce string value that uniquely identifies this authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
-hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter...  SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,159,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,[When constructing] Authentication Tokens [for use in the `client_assertion` ...element of token requests] … the `jti` parameter...  SHALL NOT be reused by the client app in another authentication JWT before the time specified in the `exp` claim has passed,SHALL,Client,,,,5.04,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_jti_reuse_prevention
 hl7.fhir.us.udap-security_1.0.0,160,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,"The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of `exp` minus the value of `iat` SHALL NOT exceed 300 seconds.",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,161,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token,The Authentication Token SHALL be signed and serialized using the JSON compact serialization method..,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
-hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,162,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.",SHALL,Client,,,,5.09,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_oauth2_protocol_compliance
 hl7.fhir.us.udap-security_1.0.0,163,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client applications authenticating with a private key and Authentication Token as per Section [4.2.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the [token request]... parameters as per Section 5.1 of UDAP JWT-Based Client Authentication,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
-hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,164,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,Client apps authenticating in this [with a private key and Authentication Token] manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication
 hl7.fhir.us.udap-security_1.0.0,165,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `grant_type` [parameter is] `required`[and SHALL contain the f]ixed value: `authorization_code`,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,166,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,[When authenticating with a private key and Authentication Token] the `code` [parameter is] `required`[and SHALL contain the] code that the app received from the Authorization Server,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,167,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"[When authenticating with a private key and Authentication Token] the `redirect_uri` [parameter is] `conditional`… SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1,",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
@@ -92,8 +92,8 @@ hl7.fhir.us.udap-security_1.0.0,180,https://www.udap.org/udap-jwt-client-auth.ht
 hl7.fhir.us.udap-security_1.0.0,181,https://www.udap.org/udap-jwt-client-auth.html,[When validating the Client App’s token request] A maximum AnT lifetime of 5 minutes is RECOMMENDED,SHOULD,Client,,,,"",""
 hl7.fhir.us.udap-security_1.0.0,185,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,B2B client applications registered to use the authorization code grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow described in [Section 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) of RFC 6749,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,186,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,Client applications registered to use the client credentials grant SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 client credentials grant flow described in [Section 4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) of RFC 6749,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
-hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,187,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#business-to-business,"[When using the B2B client credentials flow to obtain access] the Requestor [(client)] is responsible for ensuring that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.",SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,188,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Client applications registered to use the authorization code grant SHALL request an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) of RFC 6749,SHALL,Client,,,,5.01,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_auth_code_usage
 hl7.fhir.us.udap-security_1.0.0,192,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,"The client SHALL use its private key to sign an Authentication Token..., and include this JWT in the `client_assertion` parameter of its token request as described in section 5.1 of UDAP JWT-Based Client Authentication and detailed further in [Section 5.2.2](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request) of this guide",SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,193,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `sub` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,194,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `aud` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
@@ -101,28 +101,28 @@ hl7.fhir.us.udap-security_1.0.0,195,https://hl7.org/fhir/us/udap-security/STU1/b
 hl7.fhir.us.udap-security_1.0.0,196,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `iat` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,197,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `jti` claim [is] `required`.,SHALL,Client,,,,"3.03, 4.02","udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification, udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification"
 hl7.fhir.us.udap-security_1.0.0,198,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and] The HL7 B2B Authorization Extension Object ...is required for B2B client apps using the client_credentials flow,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
-hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,199,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token,[when submitting Authentication Tokens] the `extensions` claim [is] `conditional` [and shall be] omit[ted] for client apps using the `authorization_code` flow,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
 hl7.fhir.us.udap-security_1.0.0,202,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `version` [is] `required` [with a] String with fixed value: ""1""",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
-hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required]  if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,"",""
+hl7.fhir.us.udap-security_1.0.0,203,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_name` [is] `conditional` [and SHALL be required if the] String containing the human readable name of the human or non-human requestor [is] known,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,204,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be required]  if known for human requestors when the `subject_name` parameter is present.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,205,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id`... For US Realm,... SHALL be the subject's individual National Provider Identifier (NPI)",SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,206,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] for non-human requestors,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,207,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_id` [is] `conditional` [and SHALL be omitted] ... for requestors who have not been assigned an NPI,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,208,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `subject_role` [is] `conditional` [and SHALL be required] if known for human requestors when the `subject_name` parameter is present. For US Realm, trust communities SHOULD constrain the allowed values and formats, and are encouraged to draw from the National Uniform Claim Committee (NUCC) Provider Taxonomy Code Set, but are not required to do so to be considered conformant.",SHALL,"Client,Trust Community",,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
 hl7.fhir.us.udap-security_1.0.0,210,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` [and is a] string containing the human readable name of the organizational requestor. If a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"",""
 hl7.fhir.us.udap-security_1.0.0,211,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_name` [is] `optional` … if a subject is named, the organizational requestor is the organization represented by the subject.",MAY,Client,,,,"",""
 hl7.fhir.us.udap-security_1.0.0,212,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] SHALL be a Uniform Resource Identifier (URI).,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
-hl7.fhir.us.udap-security_1.0.0,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client,Trust Community",,,,"",""
+hl7.fhir.us.udap-security_1.0.0,213,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required` [and] ... Trust communities SHALL define the allowed URI scheme(s).,SHALL,"Client,Trust Community",,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
 hl7.fhir.us.udap-security_1.0.0,214,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `organization_id` [is] `required`... If a URL is used, the issuer SHALL include a URL that is resolvable by the receiving party.",SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
 hl7.fhir.us.udap-security_1.0.0,215,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `purpose_of_use` [is] `required`.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
 hl7.fhir.us.udap-security_1.0.0,217,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_policy` [is] `optional`[and SHALL contain] an array of one or more strings, each containing a URI identifiying a privacy consent directive policy or other policy consistent with the value of the purpose_of_use parameter.",MAY,Client,,,,"",""
 hl7.fhir.us.udap-security_1.0.0,218,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and SHALL  contain a]n array of one or more strings, each containing an absolute URL consistent with a [literal reference](https://www.hl7.org/fhir/R4/references.html#literal) to a FHIR [Consent](https://www.hl7.org/fhir/R4/consent.html) or [DocumentReference](https://www.hl7.org/fhir/R4/documentreference.html) resource containing or referencing a privacy consent directive relevant to a purpose identified by the `purpose_of_use` parameter and the policy or policies identified by the `consent_policy` parameter.",MAY,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,"",""
-hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,"",""
-hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ...  Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,219,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional` ... [and t]he issuer of this Authorization Extension Object SHALL only include URLs that are resolvable by the receiving party.,SHALL,Client,true,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,220,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,"[When populating the consent_reference value of the B2B Authorization Extension] the value `consent_reference` [is] `conditional`... [and i]f a referenced resource does not include the raw document data inline in the resource or as a contained resource, then it SHALL include a URL to the attachment data that is resolvable by the receiving party.",SHALL,Client,true,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
+hl7.fhir.us.udap-security_1.0.0,221,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object,[when constructing a B2B Authorization Extension Object following the `client_credentials` flow] the value `consent_reference` [is] `conditional`[and shall be ] ...  Omit[ted] if `consent_policy` [paramaeter] is not present.,SHALL,Client,,,,5.12,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_b2b_authorization_extension_object
 hl7.fhir.us.udap-security_1.0.0,222,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#submitting-a-token-request,Client applications using the authorization code grant and authenticating with a private key and Authentication Token as per Section 5.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,223,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.2 of UDAP JWT-Based Client Authentication.,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
-hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,224,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,Client applications using the client credentials grant and authenticating with a private key and Authentication Token as per Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) … SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request.,SHALL NOT,Client,,,,5.07,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_private_key_authentication
 hl7.fhir.us.udap-security_1.0.0,225,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `grant_type` parameter [is] `required` [and SHALL contain f]ixed value: `client_credentials`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
 hl7.fhir.us.udap-security_1.0.0,226,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion_type` parameter [is] `required` [and SHALL contain f]ixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
 hl7.fhir.us.udap-security_1.0.0,227,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,[When requesting a Client credentials grant] the `client_assertion` parameter [is] `required` [and SHALL contain] the signed Authentication Token JWT,SHALL,Client,,,,4.02,udap_security_client-udap_client_access_cc-udap_client_token_request_cc_verification
@@ -131,16 +131,16 @@ hl7.fhir.us.udap-security_1.0.0,231,https://hl7.org/fhir/us/udap-security/STU1/b
 hl7.fhir.us.udap-security_1.0.0,232,https://datatracker.ietf.org/doc/html/rfc6749#section-6,"[When requesting a refresh token]  the `grant_type` [parameter is] REQUIRED [and the ] Value MUST be set to ""refresh_token""",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,233,https://datatracker.ietf.org/doc/html/rfc6749#section-7,[When requesting a refresh token]  the `refresh_token` [parameter is] REQUIRED [and is ] The refresh token issued to the client,SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
 hl7.fhir.us.udap-security_1.0.0,234,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,"Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests [i.e., include the client_assertion_type and client_assertion fields as in the token request]",SHALL,Client,,,,3.03,udap_security_client-udap_client_access_ac-udap_client_token_request_ac_verification
-hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,235,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"IdPs that support this [UDAP] guide SHALL include `""openid""` and `""udap""` in the array of scopes returned for the `scopes_supported` parameter.",SHALL,Client,,,,5.03,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_supports_scopes
+hl7.fhir.us.udap-security_1.0.0,236,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] `udap` to the list of scopes provided in the value of the `scope` query parameter,SHALL,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp
+hl7.fhir.us.udap-security_1.0.0,237,https://hl7.org/fhir/us/udap-security/STU1/user.html#client-authorization-request-to-data-holder,The client app indicates the preferred Identity Provider to the data holder… by modifying the authorization endpoint request… [and a]dd[ing] the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.,SHALL,Client,,,,5.06,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_preferred_idp
 hl7.fhir.us.udap-security_1.0.0,244,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[When authenticating the user a] client app that receives an error code of `invalid_idp` MAY attempt to obtain authorization again by specifying a different IdP base URL in the `idp` authorization request parameter, or by making a new authorization request without using the Tiered OAuth workflow.",MAY,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in   Section 10.10),SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,"",""
-hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,"",""
-hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,"",""
+hl7.fhir.us.udap-security_1.0.0,256,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The `scope` query parameter of the authentication request SHALL contain at least the following two values: `openid` and `udap`.,SHALL,Client,,,,5.14,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_data_holder_auth_request_scope
+hl7.fhir.us.udap-security_1.0.0,257,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,The IdP SHALL authenticate the user as per [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) and Sections 4.1 - 4.2 of [UDAP Tiered Oauth](https://www.udap.org/udap-user-auth-stu1.html).,SHALL,Client,,,,5.15,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_idp_authentication_compliance
+hl7.fhir.us.udap-security_1.0.0,274,https://www.udap.org/udap-user-auth-stu1.html,The Client App MUST validate the value of the state parameter returned by the Resource Holder [in response to an authorization request] as per RFC 6749.,SHALL,Client,,,,5.16,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality
+hl7.fhir.us.udap-security_1.0.0,275,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent).",SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection
+hl7.fhir.us.udap-security_1.0.0,276,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The binding value used for CSRF protection MUST contain a non-guessable value (as described in   Section 10.10),SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection
+hl7.fhir.us.udap-security_1.0.0,277,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,"the user-agent's authenticated state (e.g.,session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy).",SHALL,Client,,,,5.13,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_client_security_csrf_protection
+hl7.fhir.us.udap-security_1.0.0,280,https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest,"[When making a token request] If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its `client_id`, as described in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).",SHALL,Client,true,,,5.08,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_token_request_authentication
+hl7.fhir.us.udap-security_1.0.0,281,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST authenticate to the IdP’s token endpoint [when requesting an ID token and access token] as detailed in Section 5 of UDAP JWT-based Client Authentication,SHALL,Client,,,,5.10,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_resource_holder_token_endpoint_authentication
+hl7.fhir.us.udap-security_1.0.0,286,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,Web application clients MUST ensure confidentiality of client passwords and other client credentials.,SHALL,Client,,,,5.16,udap_security_client-udap_client_v100_visual_inspection_and_attestation-udap_security_validation_confidentiality