udap_security_test_kit 0.11.6 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. checksums.yaml +4 -4
  2. data/lib/udap_security_test_kit/client_suite.rb +3 -0
  3. data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb +1 -1
  4. data/lib/udap_security_test_kit/requirements/generated/udap-security-test-kit_requirements_coverage.csv +317 -0
  5. data/lib/udap_security_test_kit/requirements/generated/udap_security_client_requirements_coverage.csv +38 -38
  6. data/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv +70 -70
  7. data/lib/udap_security_test_kit/version.rb +2 -2
  8. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb +77 -0
  9. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb +47 -0
  10. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb +50 -0
  11. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb +44 -0
  12. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb +42 -0
  13. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb +44 -0
  14. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb +42 -0
  15. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb +44 -0
  16. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb +47 -0
  17. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb +50 -0
  18. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb +45 -0
  19. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb +47 -0
  20. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb +45 -0
  21. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb +49 -0
  22. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb +51 -0
  23. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb +43 -0
  24. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb +49 -0
  25. data/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb +48 -0
  26. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb +56 -0
  27. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb +60 -0
  28. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb +13 -0
  29. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb +42 -0
  30. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb +51 -0
  31. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb +45 -0
  32. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb +37 -0
  33. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb +17 -0
  34. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb +36 -0
  35. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb +38 -0
  36. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb +13 -0
  37. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb +45 -0
  38. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb +42 -0
  39. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb +48 -0
  40. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb +15 -0
  41. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb +42 -0
  42. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb +39 -0
  43. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_id_token_test.rb +43 -0
  44. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_idp_test.rb +39 -0
  45. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/invalid_redirection_uri_test.rb +43 -0
  46. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/prompt_none_test.rb +39 -0
  47. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/state_mismatch_test.rb +43 -0
  48. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/unauthenticated_user_test.rb +42 -0
  49. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/valid_state_error_response_test.rb +43 -0
  50. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group.rb +27 -0
  51. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/access_token_validation_test.rb +47 -0
  52. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/id_token_validation_test.rb +45 -0
  53. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group/token_response_validation_test.rb +47 -0
  54. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/id_token_access_token_validation_group.rb +15 -0
  55. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_authentication_request_test.rb +45 -0
  56. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_dynamic_registration_test.rb +45 -0
  57. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_metadata_validation_test.rb +44 -0
  58. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group/idp_token_exchange_test.rb +46 -0
  59. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/identity_provider_interaction_group.rb +17 -0
  60. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_certificate_chain_validation_test.rb +36 -0
  61. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_grant_parameter_validation_test.rb +36 -0
  62. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_jti_reuse_test.rb +35 -0
  63. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_signature_validation_test.rb +36 -0
  64. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group/jwt_token_request_validation_test.rb +43 -0
  65. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/jwt_security_group.rb +19 -0
  66. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_authorization_extensions_required_test.rb +43 -0
  67. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_community_parameter_support_test.rb +44 -0
  68. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_endpoint_error_handling_test.rb +43 -0
  69. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_metadata_representation_test.rb +42 -0
  70. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group/udap_profiles_supported_test.rb +43 -0
  71. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/metadata_server_capabilities_group.rb +19 -0
  72. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/csrf_protection_test.rb +49 -0
  73. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/obtain_authorization_scopes_test.rb +44 -0
  74. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/state_parameter_test.rb +48 -0
  75. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group/unauthenticated_client_security_test.rb +47 -0
  76. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/security_measures_group.rb +17 -0
  77. data/lib/udap_security_test_kit/visual_inspection_and_attestation/server_attestation_group.rb +33 -0
  78. data/lib/udap_security_test_kit.rb +2 -0
  79. metadata +81 -4
data/lib/udap_security_test_kit/requirements/generated/udap_security_requirements_coverage.csv CHANGED
@@ -15,8 +15,8 @@ hl7.fhir.us.udap-security_1.0.0,13,https://hl7.org/fhir/us/udap-security/STU1/di
15
15
  hl7.fhir.us.udap-security_1.0.0,14,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers **SHALL** allow access to the following metadata URL ... without requiring client authentication, where {baseURL} represents the base FHIR URL for the FHIR server: {baseURL}/.well-known/udap",SHALL,Server,,,,"1.1.01, 2.1.01","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_well_known_endpoint, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_well_known_endpoint"
16
16
  hl7.fhir.us.udap-security_1.0.0,15,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,UDAP metadata **SHALL** be structured as a JSON object as per section 1 of [UDAP Server Metadata](https://www.udap.org/udap-server-metadata-stu1.html#section-1) and discussed further in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata).,SHALL,Server,,,,"1.1, 2.1","udap_security-udap_authorization_code_group-auth_code_discovery_group, udap_security-udap_client_credentials_group-auth_code_discovery_group"
17
17
  hl7.fhir.us.udap-security_1.0.0,17,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#discovery-of-endpoints,"Servers conforming to this guide are generally expected, but not required, to also support the HL7 SMART App Launch Framework, which defines additional discovery and metadata requirements.",SHOULD,Server,,,,"",""
18
- hl7.fhir.us.udap-security_1.0.0,18,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,The metadata returned from the UDAP metadata endpoint … SHALL represent the server’s capabilities with respect to the UDAP workflows described in this guide.,SHALL,Server,,,,"",""
19
- hl7.fhir.us.udap-security_1.0.0,19,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request.",SHALL,Server,,,,"",""
18
+ hl7.fhir.us.udap-security_1.0.0,18,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,The metadata returned from the UDAP metadata endpoint … SHALL represent the server’s capabilities with respect to the UDAP workflows described in this guide.,SHALL,Server,,,,3.1.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_metadata_representation
19
+ hl7.fhir.us.udap-security_1.0.0,19,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If no UDAP workflows are supported, the server SHALL return a `404 Not Found` response to the metadata request.",SHALL,Server,,,,3.1.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_metadata_error_handling
20
20
  hl7.fhir.us.udap-security_1.0.0,22,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_versions_supported` [element is] required [and SHALL be] A fixed array with one string element: [""1""]",SHALL,Server,,,,"1.1.02, 2.1.02","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_versions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_versions_supported_field"
21
21
  hl7.fhir.us.udap-security_1.0.0,23,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_profiles_supported` [element is] required
22
22
  [and SHALL contain a]n array of two or more strings identifying the core UDAP profiles supported by the Authorization Server.",SHALL,Server,,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field"
@@ -26,13 +26,13 @@ hl7.fhir.us.udap-security_1.0.0,26,https://hl7.org/fhir/us/udap-security/STU1/di
26
26
  If the `grant_types_supported` parameter includes the string `""client_credentials""`, then the array SHALL also include:
27
27
  `""udap_authz""` for UDAP Client Authorization Grants using JSON Web Tokens to indicate support for Authorization Extension Objects.",SHALL,Server,true,,,"1.1.04, 2.1.04","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_profiles_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_profiles_supported_field"
28
28
  hl7.fhir.us.udap-security_1.0.0,27,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata] `udap_profiles_supported` [element]...
29
- If the server supports the user authentication workflow described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html#tiered-oauth-for-user-authentication), then the array SHALL also include: `""udap_to""` for UDAP Tiered OAuth for User Authentication.",SHALL,Server,true,,,"",""
29
+ If the server supports the user authentication workflow described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html#tiered-oauth-for-user-authentication), then the array SHALL also include: `""udap_to""` for UDAP Tiered OAuth for User Authentication.",SHALL,Server,true,,,3.1.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_profiles_supported
30
30
  hl7.fhir.us.udap-security_1.0.0,28,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_supported` [element is] required [and SHALL contain a]n array of zero or more recognized key names for Authorization Extension Objects supported by the Authorization Server.",SHALL,Server,,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field"
31
31
  hl7.fhir.us.udap-security_1.0.0,29,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server supports the B2B Authorization Extension Object defined in Section [5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object), then the ... `[""hl7-b2b""]` key name SHALL be included [in the `udap_authorization_extensions_supported` element of the server's UDAP metadata].",SHALL,Server,,,,"1.1.05, 2.1.05","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_supported_field"
32
32
  hl7.fhir.us.udap-security_1.0.0,30,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element SHALL contain when populated a]n array of zero or more recognized key names for Authorization Extension Objects required by the Authorization Server in every token request.",SHALL,Server,,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field"
33
33
  hl7.fhir.us.udap-security_1.0.0,31,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_authorization_extensions_required` [element] SHALL be present if the value of the `udap_authorization_extensions_supported` parameter is not an empty array.",SHALL,Server,,,,"1.1.06, 2.1.06","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_auth_extensions_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_auth_extensions_required_field"
34
34
  hl7.fhir.us.udap-security_1.0.0,32,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"If the Authorization Server requires the B2B Authorization Extension Object defined in [Section 5.2.1.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#b2b-authorization-extension-object) in every token request, then the following key name SHALL be included [in the `udap_authorization_extensions_required`list]:
35
- `[""hl7-b2b""]`",SHALL,Server,,,,"",""
35
+ `[""hl7-b2b""]`",SHALL,Server,,,,3.1.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_authorization_extensions_required
36
36
  hl7.fhir.us.udap-security_1.0.0,33,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_supported` [element is] required [and SHALL contain a]n array of zero or more certification URIs supported by the Authorization Server, e.g.: `[""https://www.example.com/udap/profiles/example-certification""]`",SHALL,Server,,,,"1.1.07, 2.1.07","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_supported_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_supported_field"
37
37
  hl7.fhir.us.udap-security_1.0.0,34,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` [element SHALL contain when populated a]n array of zero or more certification URIs required by the Authorization Server.",SHALL,Server,,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field"
38
38
  hl7.fhir.us.udap-security_1.0.0,35,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata,"[When returning UDAP metadata, the] `udap_certifications_required` … parameter SHALL be present if the value of the `udap_certifications_supported` parameter is not an empty array.",SHALL,Server,,,,"1.1.08, 2.1.08","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_certifications_required_field, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_certifications_required_field"
@@ -57,11 +57,11 @@ hl7.fhir.us.udap-security_1.0.0,52,https://hl7.org/fhir/us/udap-security/STU1/di
57
57
  hl7.fhir.us.udap-security_1.0.0,53,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,The exp time [in the Server's signed JWT] SHALL be no more than 1 year after the value of the iat claim.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
58
58
  hl7.fhir.us.udap-security_1.0.0,54,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[The JWT in the signed_metadata element SHALL contain the claim] `iat` [that is the] Issued time integer for this JWT, expressed in seconds since the ""Epoch""",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
59
59
  hl7.fhir.us.udap-security_1.0.0,55,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `jti` [that is a] nonce string value that uniquely identifies this JWT.,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
60
- hl7.fhir.us.udap-security_1.0.0,56,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,This [`jti`] value [in the Server's signed JWT] SHALL NOT be reused by the server in another JWT before the time specified in the exp claim has passed,SHALL,Server,,,,"",""
60
+ hl7.fhir.us.udap-security_1.0.0,56,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,This [`jti`] value [in the Server's signed JWT] SHALL NOT be reused by the server in another JWT before the time specified in the exp claim has passed,SHALL,Server,,,,3.9.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_jti_reuse
61
61
  hl7.fhir.us.udap-security_1.0.0,57,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,"[In the JWT in the signed_metadata element SHALL contain, the claim] `authorization_endpoint`[is] REQUIRED if the authorization_endpoint parameter is included in the unsigned metadata",SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
62
62
  hl7.fhir.us.udap-security_1.0.0,58,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `token_endpoint`[which is a] string containing the absolute URL of the server's token endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
63
63
  hl7.fhir.us.udap-security_1.0.0,59,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements,[The JWT in the signed_metadata element SHALL contain the claim] `registration_endpoint`[which is a] string containing the absolute URL of the server's registration endpoint,SHALL,Server,,,,"1.1.17, 2.1.17","udap_security-udap_authorization_code_group-auth_code_discovery_group-udap_signed_metadata_contents, udap_security-udap_client_credentials_group-auth_code_discovery_group-udap_signed_metadata_contents"
64
- hl7.fhir.us.udap-security_1.0.0,62,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports [the `community`] parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community, if it has been issued such a certificate, and use that certificate when generating the signed JWT returned for the `signed_metadata` element.",SHALL,Server,,,,"",""
64
+ hl7.fhir.us.udap-security_1.0.0,62,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports [the `community`] parameter and recognizes the URI value, it SHALL select a certificate intended for use within the identified trust community, if it has been issued such a certificate, and use that certificate when generating the signed JWT returned for the `signed_metadata` element.",SHALL,Server,,,,3.1.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_metadata_server_capabilities_group-udap_security_community_parameter_support
65
65
  hl7.fhir.us.udap-security_1.0.0,63,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If a server supports different UDAP capabilities for different communities, it MAY also return different values for other metadata elements described in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata) as appropriate for the identified community.",MAY,Server,,,,"",""
66
66
  hl7.fhir.us.udap-security_1.0.0,64,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, it MAY return a `404 Not Found` response to the metadata request to indicate that no UDAP workflows are supported by server in the context of that community, or it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,"",""
67
67
  hl7.fhir.us.udap-security_1.0.0,65,https://hl7.org/fhir/us/udap-security/STU1/discovery.html#multiple-trust-communities,"If the server does not recognize the community URI or does not have a suitable certificate for the identified community, .. it MAY return its default metadata, i.e. the metadata that it would have returned if the community parameter was not included in the request.",MAY,Server,,,,"",""
@@ -70,95 +70,95 @@ hl7.fhir.us.udap-security_1.0.0,89,https://hl7.org/fhir/us/udap-security/STU1/re
70
70
  hl7.fhir.us.udap-security_1.0.0,98,https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement,The Authorization Server MAY consider this list [of scopes provided in the registration software statement] when deciding the scopes that it will allow the application to subsequently request.,MAY,Server,,,,"",""
71
71
  hl7.fhir.us.udap-security_1.0.0,105,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,The Authorization Server SHALL validate the registration request as per [Section 4](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4) of UDAP Dynamic Client Registration.,SHALL,Server,,,,"1.2, 2.2","udap_security-udap_authorization_code_group-auth_code_dcr_group, udap_security-udap_client_credentials_group-client_creds_dcr_group"
72
72
  hl7.fhir.us.udap-security_1.0.0,106,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he iss value MUST match a uriName entry in the Subject Alternative Names extension of the Client’s certificate.,SHALL,Server,,,,"1.2.01, 2.2.01","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents"
73
- hl7.fhir.us.udap-security_1.0.0,107,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he sub value MUST match the iss value,SHALL,Server,,,,"",""
74
- hl7.fhir.us.udap-security_1.0.0,108,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he aud value MUST contain the Authorization Server’s registration endpoint URL,SHALL,Server,,,,"",""
75
- hl7.fhir.us.udap-security_1.0.0,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,"",""
73
+ hl7.fhir.us.udap-security_1.0.0,107,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he sub value MUST match the iss value,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation
74
+ hl7.fhir.us.udap-security_1.0.0,108,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he aud value MUST contain the Authorization Server’s registration endpoint URL,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation
75
+ hl7.fhir.us.udap-security_1.0.0,109,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-4,[When validating a registration request t]he software statement MUST be unexpired,SHALL,Server,,,,3.2.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_dynamic_client_registration_validation
76
76
  hl7.fhir.us.udap-security_1.0.0,110,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"If a new registration is successful, the Authorization Server SHALL return a registration response with a `201 Created` HTTP response code as per [Section 5.1](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1) of UDAP Dynamic Client Registration",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success"
77
77
  hl7.fhir.us.udap-security_1.0.0,111,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,"[When responding to an authorization request that has been granted] 5.1 The top-level elements of the response SHALL include the client_id issued by the Authorization Server for use by the Client App, the software statement as submitted by the Client App, and all of the registration related parameters that were included in the software statement",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents"
78
- hl7.fhir.us.udap-security_1.0.0,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,"",""
78
+ hl7.fhir.us.udap-security_1.0.0,112,https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1,[When responding to an authorization request that has been granted] 5.1 Authorization Server MUST store the certificate provided by the Client for use to validate subsequent client authentication attempts.,SHALL,Server,,,,3.8.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_client_authentication_group-udap_security_client_certificate_storage
79
79
  hl7.fhir.us.udap-security_1.0.0,113,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is successful, the Authorization Server SHALL return a registration response ... including the unique `client_id` assigned by the Authorization Server to that client app.",SHALL,Server,,,,"1.2.04, 2.2.04","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success_contents"
80
80
  hl7.fhir.us.udap-security_1.0.0,114,https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body,"If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per [Section 5.2](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.2) of UDAP Dynamic Client Registration.",SHALL,Server,,,,"1.2.01, 1.2.02, 2.2.01, 2.2.02","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_failure_invalid_jwt_signature, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_contents, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_failure_invalid_jwt_signature"
81
- hl7.fhir.us.udap-security_1.0.0,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,"",""
81
+ hl7.fhir.us.udap-security_1.0.0,116,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers SHALL ignore unsupported or unrecognized certifications,SHALL,Server,,,,3.2.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_certification_handling
82
82
  hl7.fhir.us.udap-security_1.0.0,117,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,Authorization Servers MAY require registration requests to include one or more certifications.,MAY,Server,,,,"",""
83
- hl7.fhir.us.udap-security_1.0.0,118,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,"If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the `udap_certifications_required` element of its UDAP metadata.",SHALL,Server,,,,"",""
83
+ hl7.fhir.us.udap-security_1.0.0,118,https://hl7.org/fhir/us/udap-security/STU1/registration.html#inclusion-of-certifications-and-endorsements,"If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the `udap_certifications_required` element of its UDAP metadata.",SHALL,Server,,,,3.2.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_certification_handling
84
84
  hl7.fhir.us.udap-security_1.0.0,119,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement containing the same `iss` value as an earlier software statement but with a different set of claims or claim values, or with a different (possibly empty) set of optional certifications and endorsements, the server SHALL treat this as a request to modify the registration parameters for the client application by replacing the information from the previous registration request with the information included in the new request.",SHALL,Server,,,,"1.2.03, 2.2.03","udap_security-udap_authorization_code_group-auth_code_dcr_group-udap_registration_success, udap_security-udap_client_credentials_group-client_creds_dcr_group-udap_registration_success"
85
85
  hl7.fhir.us.udap-security_1.0.0,120,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the registration modification request is accepted, the Authorization Server SHOULD return the same `client_id` in the registration response as for the previous registration.",SHOULD,Server,,,,"",""
86
- hl7.fhir.us.udap-security_1.0.0,121,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If it returns a different `client_id` [in response to a registration modification request], it SHALL cancel the registration for the previous `client_id`.",SHALL,Server,,,,"",""
86
+ hl7.fhir.us.udap-security_1.0.0,121,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If it returns a different `client_id` [in response to a registration modification request], it SHALL cancel the registration for the previous `client_id`.",SHALL,Server,,,,3.2.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_dynamic_client_registration_group-udap_security_client_id_modification
87
87
  hl7.fhir.us.udap-security_1.0.0,122,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If an Authorization Server receives a valid registration request with a software statement that contains an empty `grant_types` array from a previously registered application, the server SHOULD interpret this as a request to cancel the previous registration.",SHOULD,Server,,,,"",""
88
88
  hl7.fhir.us.udap-security_1.0.0,124,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns the same client_id in the registration response for a modification request, it SHOULD also return a `200 OK` HTTP response code.",SHOULD,Server,,,,"",""
89
89
  hl7.fhir.us.udap-security_1.0.0,125,https://hl7.org/fhir/us/udap-security/STU1/registration.html#modifying-and-cancelling-registrations,"If the Authorization Server returns a new `client_id` in the registration response, the client application SHALL use only the new `client_id` in subsequent transactions with the Authorization Server.",SHOULD,Server,,,,"",""
90
90
  hl7.fhir.us.udap-security_1.0.0,131,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Client applications .. MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in [Section 6](https://hl7.org/fhir/us/udap-security/STU1/user.html).,MAY,Server,,,,"",""
91
91
  hl7.fhir.us.udap-security_1.0.0,133,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2) of RFC 6749.,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received"
92
92
  hl7.fhir.us.udap-security_1.0.0,134,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request ]if the resource owner grants the access request… the `code` parameter [is] `REQUIRED`,SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received
93
- hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,"",""
94
- hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,"",""
93
+ hl7.fhir.us.udap-security_1.0.0,135,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,[When responding to an authorization request i]f the resource owner grants the access request… the `code` parameter... MUST expire shortly after it is issued to mitigate the risk of leaks.,SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage
94
+ hl7.fhir.us.udap-security_1.0.0,137,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"If an authorization code is used more than once, the authorization server MUST deny the request",SHALL,Server,,,,3.3.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_auth_code_usage
95
95
  hl7.fhir.us.udap-security_1.0.0,138,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2,"[When responding to an authorization request i]f the resource owner grants the access request… the `state` parameter [is] `REQUIRED`if the ""state"" parameter was present in the client authorization request",SHALL,Server,,,,1.3.02,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received
96
- hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,"",""
97
- hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,"",""
96
+ hl7.fhir.us.udap-security_1.0.0,146,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation
97
+ hl7.fhir.us.udap-security_1.0.0,147,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: ...authenticate the client if client authentication is included,",SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation
98
98
  hl7.fhir.us.udap-security_1.0.0,148,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to ""client_id"" in the request,",SHALL,Server,,,,1.3.03,udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_token_exchange
99
- hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,"",""
100
- hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,"",""
101
- hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,"",""
102
- hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,"",""
103
- hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,"",""
104
- hl7.fhir.us.udap-security_1.0.0,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,"",""
105
- hl7.fhir.us.udap-security_1.0.0,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value.,SHALL,Server,,,,"",""
106
- hl7.fhir.us.udap-security_1.0.0,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,"",""
107
- hl7.fhir.us.udap-security_1.0.0,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.",SHALL,Server,,,,"",""
99
+ hl7.fhir.us.udap-security_1.0.0,149,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,[When responding to an access token request t]he authorization server MUST: … verify that the authorization code is valid,SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation
100
+ hl7.fhir.us.udap-security_1.0.0,150,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3,"[When responding to an access token request t]he authorization server MUST: … ensure that the ""redirect_uri"" parameter is present if the ""redirect_uri"" parameter was included in the initial authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and if included ensure that their values are identical.",SHALL,Server,,,,3.3.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_request_validation
101
+ hl7.fhir.us.udap-security_1.0.0,172,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,An Authorization Server receiving token requests containing Authentication Tokens... SHALL validate and respond to the request as per [Sections 6 and 7 of UDAP JWT-Based Client Authentication](https://www.udap.org/udap-jwt-client-auth.html).,SHALL,Server,,,,3.9.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_token_request_validation
102
+ hl7.fhir.us.udap-security_1.0.0,173,https://www.udap.org/udap-jwt-client-auth.html,The AS validates the digital signature on the AnT [in the token request] using the public key extracted from cert1 in the x5c parameter of the JOSE header.,SHALL,Server,,,,3.9.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_signature_validation
103
+ hl7.fhir.us.udap-security_1.0.0,174,https://www.udap.org/udap-jwt-client-auth.html,"If the signature cannot be validated [using the public key extracted from cert1 in the x5c parameter], the [token] request is denied.",SHALL,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request
104
+ hl7.fhir.us.udap-security_1.0.0,176,https://www.udap.org/udap-jwt-client-auth.html,"If a trusted chain cannot be built and validated by the AS [for certificates in the x5c parameter of the JOSE header on AnTs in token requests], the request is denied.",SHALL,Server,,,,"3.6.03, 3.9.05","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_certificate_chain_validation"
105
+ hl7.fhir.us.udap-security_1.0.0,182,https://www.udap.org/udap-jwt-client-auth.html,The AS validates any other parameters in the [token] request as per the requirements of the grant mechanism identified by the grant_type value.,SHALL,Server,,,,3.9.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_grant_parameter_validation
106
+ hl7.fhir.us.udap-security_1.0.0,183,https://www.udap.org/udap-jwt-client-auth.html,"If a parameter is invalid or a required parameter is missing [on a token request], the request is denied",SHALL,Server,,,,3.6.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_deny_token_request
107
+ hl7.fhir.us.udap-security_1.0.0,184,https://hl7.org/fhir/us/udap-security/STU1/consumer.html#submitting-a-token-request,"For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.",SHALL,Server,,,,3.3.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_access_token_lifetime
108
108
  hl7.fhir.us.udap-security_1.0.0,190,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code,Servers SHALL handle and respond to authorization code requests as per [Section 4.1.2 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2).,SHALL,Server,,,,"1.3.01, 1.3.02","udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_redirect, udap_security-udap_authorization_code_group-udap_authorization_code_authentication_group-udap_authorization_code_received"
109
- hl7.fhir.us.udap-security_1.0.0,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,"",""
109
+ hl7.fhir.us.udap-security_1.0.0,229,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#client-credentials-grant,An Authorization Server receiving token requests containing Authentication Tokens ... SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.,SHALL,Server,,,,3.9.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_jwt_security_group-udap_security_jwt_token_request_validation
110
110
  hl7.fhir.us.udap-security_1.0.0,230,https://hl7.org/fhir/us/udap-security/STU1/b2b.html#refresh-tokens,Authorization Servers MAY issue refresh tokens to B2B [and consumer-facing] client applications that use the authorization code grant type as per [Section 5 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5),MAY,Server,,,,"",""
111
- hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,"",""
112
- hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,"",""
111
+ hl7.fhir.us.udap-security_1.0.0,238,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"Upon receiving an authorization request with a preferred IdP, the data holder first determines whether or not it trusts the IdP to perform user authentication, by retrieving and validating the IdP’s UDAP metadata from {baseURL}/.well-known/udap, as discussed in [Section 2.2](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#required-udap-metadata)",SHALL,Server,,,,3.10.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_metadata_validation
112
+ hl7.fhir.us.udap-security_1.0.0,239,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted and the data holder is not yet registered as a client with the IdP and the IdP supports UDAP Dynamic Registration, then the data holder SHALL register as a client with the IdP as per [Section 3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#registration) of this guide.",SHALL,Server,,,,3.10.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_dynamic_registration
113
113
  hl7.fhir.us.udap-security_1.0.0,240,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP, the data holder MAY reject the client app’s authorization request",MAY,Server,,,,"",""
114
- hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,true,,,"",""
115
- hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,"",""
114
+ hl7.fhir.us.udap-security_1.0.0,241,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"[if the data holder rejects the request because of idP it SHALL return an error with the invalid_idp extension error code] as per [Section 4.1.2.1 of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), using the extension error code of invalid_idp.",SHALL,Server,true,,,3.6.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_idp_error
115
+ hl7.fhir.us.udap-security_1.0.0,242,https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1,"If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server ... MUST NOT automatically redirect the user-agent to the invalid redirection URI.",SHALL NOT,Server,,,,3.6.05,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_redirection_uri
116
116
  hl7.fhir.us.udap-security_1.0.0,243,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is not trusted by the data holder, or if the data holder does not have and cannot obtain a client_id to use with the IdP ... the data holder MAY attempt to authenticate the user with a different trusted IdP or its own IdP, and MAY interact with the user to determine a suitable alternative",MAY,Server,,,,"",""
117
- hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,"",""
118
- hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,"",""
119
- hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,"",""
120
- hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,"",""
121
- hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,"",""
122
- hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,"",""
123
- hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,"",""
117
+ hl7.fhir.us.udap-security_1.0.0,245,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP is trusted by the data holder, and the data holder is registered as a client with the IdP, then the data holder, acting as an OIDC client, SHALL make an authentication request to the IdP’s authorization endpoint as per [Section 3.1.2.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) and Section 3.4 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.10.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_authentication_request
118
+ hl7.fhir.us.udap-security_1.0.0,246,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in [RFC 7231](https://openid.net/specs/openid-connect-core-1_0.html#RFC7231) at the Authorization Endpoint.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction
119
+ hl7.fhir.us.udap-security_1.0.0,247,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,OpenID Connect [authentication] requests MUST contain the openid scope value.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction
120
+ hl7.fhir.us.udap-security_1.0.0,248,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request the] `response_type` parameter is REQUIRED. Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction
121
+ hl7.fhir.us.udap-security_1.0.0,249,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `client_id` [parameter is] REQUIRED [and SHALL be a] Client Identifier valid at the Authorization Server.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction
122
+ hl7.fhir.us.udap-security_1.0.0,250,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,[When constructing an OpenID Connect authentication request the] `redirect_uri` [parameter is] REQUIRED [and SHALL be a] Redirection URI to which the response will be sent.,SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction
123
+ hl7.fhir.us.udap-security_1.0.0,251,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest,"[When constructing an OpenID Connect authentication request] The [`redirect_uri`] URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [Section 6.2.1 of [RFC3986]](https://openid.net/specs/openid-connect-core-1_0.html#RFC3986) (Simple String Comparison).",SHALL,Server,,,,3.4.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction
124
124
  hl7.fhir.us.udap-security_1.0.0,252,https://www.udap.org/udap-user-auth-stu1.html,"[When UDAP Tiered OAuth for User Authentication is being requested] If... [the “openid” and “udap”] scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow.",SHOULD NOT,server,,,,"",""
125
- hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,"",""
126
- hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,"",""
127
- hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,"",""
128
- hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,"",""
129
- hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,"",""
130
- hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,"",""
131
- hl7.fhir.us.udap-security_1.0.0,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request.",SHALL,Server,,,,"",""
132
- hl7.fhir.us.udap-security_1.0.0,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,"",""
133
- hl7.fhir.us.udap-security_1.0.0,263,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When an id_token_hint is present [on an authentication request], the OP MUST validate that it was the issuer of the ID Token.",SHALL,Server,,,,"",""
134
- hl7.fhir.us.udap-security_1.0.0,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,"",""
135
- hl7.fhir.us.udap-security_1.0.0,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,"",""
136
- hl7.fhir.us.udap-security_1.0.0,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,"",""
137
- hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"",""
138
- hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"",""
139
- hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,"",""
140
- hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,"",""
141
- hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,"",""
142
- hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,"",""
143
- hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,"",""
144
- hl7.fhir.us.udap-security_1.0.0,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,"",""
145
- hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,"",""
146
- hl7.fhir.us.udap-security_1.0.0,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,"",""
147
- hl7.fhir.us.udap-security_1.0.0,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,"",""
148
- hl7.fhir.us.udap-security_1.0.0,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,"",""
149
- hl7.fhir.us.udap-security_1.0.0,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,"",""
150
- hl7.fhir.us.udap-security_1.0.0,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication.,SHALL NOT,Server,,,,"",""
151
- hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,"",""
125
+ hl7.fhir.us.udap-security_1.0.0,253,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint,SHALL,server,,,,3.3.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authorization_code_token_requests_group-udap_security_authorization_code_flow
126
+ hl7.fhir.us.udap-security_1.0.0,254,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST generate its own random value for the state parameter,SHALL,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management
127
+ hl7.fhir.us.udap-security_1.0.0,255,https://www.udap.org/udap-user-auth-stu1.html,The Resource Holder MUST NOT reuse the [state] value provided by the Client App in Step 2.,SHALL NOT,server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management
128
+ hl7.fhir.us.udap-security_1.0.0,258,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST validate all the OAuth 2.0 [authentication request] parameters according to the OAuth 2.0 specification.,SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
129
+ hl7.fhir.us.udap-security_1.0.0,259,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"the Authorization Server MUST ...Verify that a `scope` parameter is present and contains the `openid` scope value [on an authentication request]. (If no `openid` scope value is present, the request may still be a valid OAuth 2.0 request but is not an OpenID Connect request.)",SHALL,Server,,,,"3.4.01, 3.4.02","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_construction, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation"
130
+ hl7.fhir.us.udap-security_1.0.0,260,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,The Authorization Server MUST verify that all the REQUIRED [authentication request] parameters are present and their usage conforms to this specification.,SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
131
+ hl7.fhir.us.udap-security_1.0.0,261,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"If the sub (subject) Claim is requested [on an authentication request] with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request.",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
132
+ hl7.fhir.us.udap-security_1.0.0,262,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT reply [to an authentication request] with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server.",SHALL NOT,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
133
+ hl7.fhir.us.udap-security_1.0.0,263,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When an id_token_hint is present [on an authentication request], the OP MUST validate that it was the issuer of the ID Token.",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
134
+ hl7.fhir.us.udap-security_1.0.0,264,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"[When validating authentication requests received] If the Authorization Server encounters any error, it MUST return an error response, per [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
135
+ hl7.fhir.us.udap-security_1.0.0,265,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,he Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The End-User is not already Authenticated.,SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
136
+ hl7.fhir.us.udap-security_1.0.0,266,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST attempt to Authenticate the End-User [for an authentication request when] … The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.",SHALL,Server,,,,3.4.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation
137
+ hl7.fhir.us.udap-security_1.0.0,267,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"The Authorization Server MUST NOT interact with the End-User [on an authentication request when] the Authentication Request contains the prompt parameter with the value none. In this case, the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,"3.4.02, 3.6.04","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error"
138
+ hl7.fhir.us.udap-security_1.0.0,268,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"In this case, [when the Authentication Request contains the prompt parameter with the value none] the Authorization Server MUST return an error if an End-User is not already Authenticated or could not be silently Authenticated.",SHALL NOT,Server,,,,3.6.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_prompt_none_error
139
+ hl7.fhir.us.udap-security_1.0.0,269,https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation,"When interacting with the End-User [for an authentication request], the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in [Sections 10.12 and 10.13 of OAuth 2.0](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749) [RFC6749].",SHALL,Server,,,,"3.4.02, 3.7.01","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_authentication_requests_group-oidc_auth_request_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection"
140
+ hl7.fhir.us.udap-security_1.0.0,270,https://www.udap.org/udap-user-auth-stu1.html,[When the IdP interacts with the user to authenticate the user] The Resource Holder MUST validate that the value of the state parameter in the query string matches the value generated in Step 3.4.,SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management
141
+ hl7.fhir.us.udap-security_1.0.0,271,https://www.udap.org/udap-user-auth-stu1.html,"[When the IdP interacts with the user to authenticate the user] If [the value of the state parameter in the query string ] does NOT match, the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “server_error” as per standard OAuth 2.0 error flow.",SHALL NOT,Server,,,,3.6.06,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_state_mismatch_error
142
+ hl7.fhir.us.udap-security_1.0.0,272,https://www.udap.org/udap-user-auth-stu1.html,"If the Resource Holder receives ... an error response from the IdP [for an authentication request], the Resource Holder MUST first validate the value of the state parameter as described in Step 4.1",SHALL,Server,,,,3.7.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_state_parameter_management
143
+ hl7.fhir.us.udap-security_1.0.0,273,https://www.udap.org/udap-user-auth-stu1.html,"If the state value is valid [on an error response for an authentication request], the Resource Holder MUST terminate this workflow by redirecting the user’s browser to the Client App’s redirection URI with an error code of “access_denied” as per standard OAuth 2.0 error flow,",SHALL,Server,,,,3.6.08,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_valid_state_error_response
144
+ hl7.fhir.us.udap-security_1.0.0,278,https://datatracker.ietf.org/doc/html/rfc6749#section-10.12,The authorization server MUST implement CSRF protection for its authorization endpoint and ensure that a malicious client cannot obtain authorization without the awareness and explicit consent of the resource owner.,SHALL,Server,,,,3.7.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_csrf_protection
145
+ hl7.fhir.us.udap-security_1.0.0,279,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns a successful authentication response with valid state parameter value and an authorization code, the data holder SHALL exchange the code for an access token and ID Token by making a request to the IdP’s token endpoint as per [Section 3.1.3.1 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) and Section 4.3 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).",SHALL,Server,,,,3.10.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_identity_provider_interaction_group-udap_security_idp_token_exchange
146
+ hl7.fhir.us.udap-security_1.0.0,282,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP returns an ID Token, the data holder SHALL then validate the ID Token as per Section [3.1.3.5 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation).",SHALL,Server,,,,3.5.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_id_token_validation
147
+ hl7.fhir.us.udap-security_1.0.0,283,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response … Follow[ing] the validation rules in RFC 6749, especially those in [Sections 5.1 and 10.12](https://datatracker.ietf.org/doc/rfc6749/).",SHALL,Server,,,,"3.5.02, 3.5.03","udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_access_token_validation, udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation"
148
+ hl7.fhir.us.udap-security_1.0.0,284,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `access_token` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,3.5.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation
149
+ hl7.fhir.us.udap-security_1.0.0,285,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,[When constructing an an access token response] the `token_type` parameter [is] `REUIRED`… [and] added to the entity-body of the HTTP response with a 200 (OK) status code,SHALL,Server,,,,3.5.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_token_response_validation
150
+ hl7.fhir.us.udap-security_1.0.0,287,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,The authorization server MUST NOT issue client passwords or other client credentials to native application or user-agent-based application clients for the purpose of client authentication.,SHALL NOT,Server,,,,3.8.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_client_authentication_group-udap_security_no_client_credentials_native_apps
151
+ hl7.fhir.us.udap-security_1.0.0,288,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The authorization server must consider the security implications of interacting with unauthenticated clients and take measures to limit the potential exposure of other credentials (e.g., refresh tokens) issued to such clients.",SHALL,Server,,,,3.7.03,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_unauthenticated_clients
152
152
  hl7.fhir.us.udap-security_1.0.0,289,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ...
153
153
 
154
- Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,"",""
154
+ Follow[ing] the ID Token validation rules in Section [3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).",SHALL,Server,,,,3.5.01,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_id_token_validation
155
155
  hl7.fhir.us.udap-security_1.0.0,290,https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation,"The Client MUST validate the Token Response ...
156
156
 
157
- Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,"",""
158
- hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,"",""
157
+ Follow[ing] the Access Token validation rules in Section [3.1.3.8](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation)",SHALL,Server,,,,3.5.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_id_token_access_token_validation_group-udap_security_access_token_validation
158
+ hl7.fhir.us.udap-security_1.0.0,291,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-authentication-request-to-idp,"If the IdP does not return an ID Token, or the ID Token cannot be successfully validated, or an error response is retured by the IdP, the data holder MAY return an `invalid_idp` error code to the client app or attempt an alternate user authentication",SHALL,Server,,,,3.6.02,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_invalid_id_token_error
159
159
  hl7.fhir.us.udap-security_1.0.0,292,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"When an ID Token has been returned and validated, the data holder SHOULD use the ID Token to attempt to match the authenticated user to a user or role in its own system, as appropriate for the resources requested.",SHOULD,Server,,,,"",""
160
160
  hl7.fhir.us.udap-security_1.0.0,293,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"the data holder can attempt to map the pair (`iss`,`sub`) to a known users in the data holder’s system.",MAY,Server,,,,"",""
161
161
  hl7.fhir.us.udap-security_1.0.0,294,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder has previously performed this mapping or has otherwise bound the pair (`iss`,`sub`) to a local user or role, it MAY rely on this previous mapping for subsequent authentications",MAY,Server,,,,"",""
162
162
  hl7.fhir.us.udap-security_1.0.0,295,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,the data holder MAY interact with the user following the redirection from the IdP back to the data holder’s redirection URI to increase confidence in the [role] resolution process.,MAY,Server,,,,"",""
163
- hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,"",""
164
- hl7.fhir.us.udap-security_1.0.0,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,"",""
163
+ hl7.fhir.us.udap-security_1.0.0,296,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder is unable to resolve the authenticated user to a local user or role, as appropriate for the resources requested, it SHALL return an `access_denied` error response to the client app’s authorization request and terminate the workflow.",SHALL,Server,,,,3.6.07,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_error_handling_group-udap_security_unauthenticated_user_error
164
+ hl7.fhir.us.udap-security_1.0.0,297,https://hl7.org/fhir/us/udap-security/STU1/user.html#data-holder-interaction-with-user-after-authentication,"If the data holder successfully maps the authenticated user to a user or role in its own system, as appropriate for the resources requested, it SHALL also obtain authorization from the user for the scopes requested by the client app, if such authorization is required, as per Section [4.5 of UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html), returning to the workflow defined in [Section 4.1](https://hl7.org/fhir/us/udap-security/STU1/consumer.html#obtaining-an-authorization-code) or [Section 5.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#obtaining-an-authorization-code) of this guide, for consumer-facing or B2B apps, respectively.",SHALL,Server,,,,3.7.04,udap_security-udap_server_v100_visual_inspection_and_attestation-udap_server_v100_security_measures_group-udap_security_user_authorization
data/lib/udap_security_test_kit/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module UDAPSecurityTestKit
2
- VERSION = '0.11.6'.freeze
3
- LAST_UPDATED = '2025-06-26'.freeze
2
+ VERSION = '0.12.0'.freeze
3
+ LAST_UPDATED = '2025-07-21'.freeze
4
4
  end
data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/b2b_authorization_extension_object_test.rb ADDED
@@ -0,0 +1,77 @@
1
+ module UDAPSecurityTestKit
2
+ class B2BAuthorizationExtensionObjectAttestationTest < Inferno::Test
3
+ title 'Complies with requirements for the B2B Flow and Authorization Extension Object'
4
+ id :udap_security_b2b_authorization_extension_object
5
+ description %(
6
+ Client application complies with requirements for the B2B Flow and Authorization Extension Object and:
7
+ - Includes `subject_name` parameter if it is known for human or non-human requestors.
8
+ - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present.
9
+ - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the US Realm.
10
+ - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party.
11
+ - Omits `consent_reference` if `consent_policy` is not present.
12
+ - Ensures that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.
13
+ - Omits the `extensions` claim for client apps using the `authorization_code` flow.
14
+ - Includes the `subject_role` value if known for human requestors when the `subject_name` parameter is
15
+ present, and for US Realm, uses values/formats constrained by trust communities (preferably from the
16
+ NUCC Provider Taxonomy Code Set).
17
+ - Includes the `organization_id` value, using a URI scheme defined by the trust community.
18
+ )
19
+ verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@187',
20
+ 'hl7.fhir.us.udap-security_1.0.0@199',
21
+ 'hl7.fhir.us.udap-security_1.0.0@203',
22
+ 'hl7.fhir.us.udap-security_1.0.0@204',
23
+ 'hl7.fhir.us.udap-security_1.0.0@205',
24
+ 'hl7.fhir.us.udap-security_1.0.0@206',
25
+ 'hl7.fhir.us.udap-security_1.0.0@207',
26
+ 'hl7.fhir.us.udap-security_1.0.0@208',
27
+ 'hl7.fhir.us.udap-security_1.0.0@213',
28
+ 'hl7.fhir.us.udap-security_1.0.0@219',
29
+ 'hl7.fhir.us.udap-security_1.0.0@220',
30
+ 'hl7.fhir.us.udap-security_1.0.0@221'
31
+
32
+ input :b2b_authorization_extension_object_compliance,
33
+ title: 'Complies with requirements for the B2B Flow and Authorization Extension Object',
34
+ description: %(
35
+ I attest that the client application complies with requirements for the B2B Flow and Authorization
36
+ Extension Object and:
37
+ - Includes `subject_name` parameter if it is known for human or non-human requestors.
38
+ - Includes `subject_id` parameter for human requestors when the `subject_name` parameter is present.
39
+ - Uses the National Provider Identifier (NPI) as the value for `subject_id` for human requestors in the
40
+ US Realm.
41
+ - Ensures that the `consent_reference` parameter includes URLs that are resolvable by the receiving party.
42
+ - Omits `consent_reference` if `consent_policy` is not present.
43
+ - Ensures that the Requestor’s User, if applicable, is using the app only as authorized by the Requestor.
44
+ - Omits the `extensions` claim for client apps using the `authorization_code` flow.
45
+ - Includes the `subject_role` value if known for human requestors when the `subject_name` parameter is
46
+ present, and for US Realm, uses values/formats constrained by trust communities (preferably from the
47
+ NUCC Provider Taxonomy Code Set).
48
+ - Includes the `organization_id` value, using a URI scheme defined by the trust community.
49
+ ),
50
+ type: 'radio',
51
+ default: 'false',
52
+ options: {
53
+ list_options: [
54
+ {
55
+ label: 'Yes',
56
+ value: 'true'
57
+ },
58
+ {
59
+ label: 'No',
60
+ value: 'false'
61
+ }
62
+ ]
63
+ }
64
+ input :b2b_authorization_extension_object_compliance_note,
65
+ title: 'Notes, if applicable:',
66
+ type: 'textarea',
67
+ optional: true
68
+
69
+ run do
70
+ assert b2b_authorization_extension_object_compliance == 'true',
71
+ 'Client application did not comply with requirements for the B2B Authorization Extension Object.'
72
+ if b2b_authorization_extension_object_compliance_note.present?
73
+ pass b2b_authorization_extension_object_compliance_note
74
+ end
75
+ end
76
+ end
77
+ end
data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_authorization_code_usage_test.rb ADDED
@@ -0,0 +1,47 @@
1
+ module UDAPSecurityTestKit
2
+ class ClientAuthorizationCodeUsageAttestationTest < Inferno::Test
3
+ title 'Uses authorization code correctly'
4
+ id :udap_security_client_auth_code_usage
5
+ description %(
6
+ Client application uses the authorization code correctly by:
7
+ - Ensuring the authorization code is not used more than once.
8
+ - Requesting an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
9
+ of RFC 6749.
10
+ )
11
+ verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@136',
12
+ 'hl7.fhir.us.udap-security_1.0.0@188'
13
+
14
+ input :authorization_code_usage_correctly,
15
+ title: 'Uses authorization code correctly',
16
+ description: %(
17
+ I attest that the client application uses the authorization code correctly by:
18
+ - Ensuring the authorization code is not used more than once.
19
+ - Requesting an authorization code as per [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
20
+ of RFC 6749.
21
+ ),
22
+ type: 'radio',
23
+ default: 'false',
24
+ options: {
25
+ list_options: [
26
+ {
27
+ label: 'Yes',
28
+ value: 'true'
29
+ },
30
+ {
31
+ label: 'No',
32
+ value: 'false'
33
+ }
34
+ ]
35
+ }
36
+ input :authorization_code_usage_correctly_note,
37
+ title: 'Notes, if applicable:',
38
+ type: 'textarea',
39
+ optional: true
40
+
41
+ run do
42
+ assert authorization_code_usage_correctly == 'true',
43
+ 'Client application did not demonstrate correct usage of the authorization code.'
44
+ pass authorization_code_usage_correctly_note if authorization_code_usage_correctly_note.present?
45
+ end
46
+ end
47
+ end
data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/client_security_csrf_protection_test.rb ADDED
@@ -0,0 +1,50 @@
1
+ module UDAPSecurityTestKit
2
+ class ClientSecurityAndCSRFProtectionAttestationTest < Inferno::Test
3
+ title 'Complies with Client Security and CSRF Protection'
4
+ id :udap_security_client_security_csrf_protection
5
+ description %(
6
+ Client applications complies with the requirements for Client Security and CSRF Protection:
7
+ - Implements CSRF protection for its redirection URI.
8
+ - Uses a binding value for CSRF protection that contains a non-guessable value.
9
+ - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by
10
+ the same-origin policy.
11
+ )
12
+ verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@275',
13
+ 'hl7.fhir.us.udap-security_1.0.0@276',
14
+ 'hl7.fhir.us.udap-security_1.0.0@277'
15
+
16
+ input :csrf_protection_implementation,
17
+ title: 'Complies with the requirements for Client Security and CSRF Protection',
18
+ description: %(
19
+ I attest that the client application complies with the requirements for Client Security and CSRF Protection:
20
+ - Implements CSRF protection for its redirection URI.
21
+ - Uses a binding value for CSRF protection that contains a non-guessable value.
22
+ - Ensures the user-agent's authenticated state is accessible only to the client and user-agent, protected by
23
+ the same-origin policy.
24
+ ),
25
+ type: 'radio',
26
+ default: 'false',
27
+ options: {
28
+ list_options: [
29
+ {
30
+ label: 'Yes',
31
+ value: 'true'
32
+ },
33
+ {
34
+ label: 'No',
35
+ value: 'false'
36
+ }
37
+ ]
38
+ }
39
+ input :csrf_protection_implementation_note,
40
+ title: 'Notes, if applicable:',
41
+ type: 'textarea',
42
+ optional: true
43
+
44
+ run do
45
+ assert csrf_protection_implementation == 'true',
46
+ 'Client application did not comply with the requirements for Client Security and CSRF Protection.'
47
+ pass csrf_protection_implementation_note if csrf_protection_implementation_note.present?
48
+ end
49
+ end
50
+ end
data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/cryptographic_algorithms_test.rb ADDED
@@ -0,0 +1,44 @@
1
+ module UDAPSecurityTestKit
2
+ class CryptographicAlgorithmsAndSecurityProtocolsAttestationTest < Inferno::Test
3
+ title 'supports the RS256 signature algorithm'
4
+ id :udap_security_crypto_algorithms_and_protocols
5
+ description %(
6
+ Client application supports the RS256 signature algorithm as defined in as defined in
7
+ [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) for UDAP workflows.
8
+ )
9
+ verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@4'
10
+
11
+ input :crypto_algorithms_and_protocols_compliance,
12
+ title: 'Supports the RS256 signature algorithm',
13
+ description: %(
14
+ I attest that the client application supports the RS256 signature algorithm as defined in as defined in
15
+ [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) for UDAP workflows.
16
+ ),
17
+ type: 'radio',
18
+ default: 'false',
19
+ options: {
20
+ list_options: [
21
+ {
22
+ label: 'Yes',
23
+ value: 'true'
24
+ },
25
+ {
26
+ label: 'No',
27
+ value: 'false'
28
+ }
29
+ ]
30
+ }
31
+
32
+ input :crypto_algorithms_and_protocols_compliance_note,
33
+ title: 'Notes, if applicable:',
34
+ type: 'textarea',
35
+ optional: true
36
+
37
+ run do
38
+ assert crypto_algorithms_and_protocols_compliance == 'true',
39
+ 'Client application did not comply with cryptographic algorithms and security protocols requirements
40
+ (RS256 support).'
41
+ pass crypto_algorithms_and_protocols_compliance_note if crypto_algorithms_and_protocols_compliance_note.present?
42
+ end
43
+ end
44
+ end