udap_security_test_kit 0.11.6 → 0.12.0

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/data_holder_auth_request_scope_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class DataHolderAuthRequestScopeAttestationTest < Inferno::Test
+    title 'Data Holder Authentication Request Contains `openid` and `udap` Scopes'
+    id :udap_security_data_holder_auth_request_scope
+    description %(
+      Data holder's authentication request to the Identity Provider includes both
+      `openid` and `udap` in the `scope` query parameter.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@256'
+
+    input :auth_request_scope_contains_openid_udap,
+          title: 'Authentication request `scope` contains `openid` and `udap`',
+          description: %(
+            I attest that the data holder's authentication request to the Identity Provider includes both
+            `openid` and `udap` in the `scope` query parameter.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :auth_request_scope_contains_openid_udap_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert auth_request_scope_contains_openid_udap == 'true',
+             'Authentication request did not include both `openid` and `udap` in the `scope` query parameter.'
+      pass auth_request_scope_contains_openid_udap_note if auth_request_scope_contains_openid_udap_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_authentication_compliance_test.rb

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class IdPAuthenticationComplianceAttestationTest < Inferno::Test
+    title 'Identity Provider Authenticates User per OIDC Core and UDAP Tiered OAuth'
+    id :udap_security_idp_authentication_compliance
+    description %(
+      The Identity Provider authenticates the user according to
+      [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)
+      and Sections 4.1 - 4.2 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@257'
+
+    input :idp_authenticates_per_spec,
+          title: 'IdP authenticates user per OIDC Core and UDAP Tiered OAuth',
+          description: %(
+            I attest that the Identity Provider authenticates the user according to
+            [Sections 3.1.2.2 - 3.1.2.6 of OIDC Core](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)
+            and Sections 4.1 - 4.2 of [UDAP Tiered OAuth](https://www.udap.org/udap-user-auth-stu1.html).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_authenticates_per_spec_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert idp_authenticates_per_spec == 'true',
+             'Identity Provider did not authenticate the user as per OIDC Core and UDAP Tiered OAuth specifications.'
+      pass idp_authenticates_per_spec_note if idp_authenticates_per_spec_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/idp_supports_required_scopes_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class IdPSupportsRequiredScopesAttestationTest < Inferno::Test
+    title 'Supports required scopes in IdPs'
+    id :udap_security_idp_supports_scopes
+    description %(
+        Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned
+        for the `scopes_supported` parameter.
+      )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@235'
+
+    input :idp_supports_required_scopes,
+          title: 'Supports required scopes',
+          description: %(
+              I attest that the Identity Provider (IdP) includes `"openid"` and `"udap"` in the array of scopes returned
+              for the `scopes_supported` parameter.
+            ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :idp_supports_required_scopes_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert idp_supports_required_scopes == 'true',
+             'Identity Provider (IdP) did not demonstrate support for required scopes.'
+      pass idp_supports_required_scopes_note if idp_supports_required_scopes_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/jti_reuse_prevention_test.rb

@@ -0,0 +1,44 @@
+module UDAPSecurityTestKit
+  class JTIReusePreventionAttestationTest < Inferno::Test
+    title 'Prevents reuse of JTI values in authentication tokens'
+    id :udap_security_jti_reuse_prevention
+    description %(
+      Client application prevents reuse of JTI values in authentication tokens by:
+      - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified
+        in the `exp` claim has passed.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@159'
+
+    input :jti_reuse_prevention_correctly,
+          title: 'Prevents reuse of JTI values in authentication tokens',
+          description: %(
+            I attest that the client application prevents reuse of JTI values in authentication tokens by:
+            - Ensuring the `jti` parameter is not reused in another authentication JWT before the time specified
+              in the `exp` claim has passed.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :jti_reuse_prevention_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert jti_reuse_prevention_correctly == 'true',
+             'Client application did not demonstrate prevention of JTI reuse in authentication tokens.'
+      pass jti_reuse_prevention_correctly_note if jti_reuse_prevention_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/metadata_interpretation_test.rb

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class MetadataInterpretationAttestationTest < Inferno::Test
+    title 'Interprets metadata correctly'
+    id :udap_security_metadata_interpretation
+    description %(
+      Client application interprets metadata correctly by:
+      - Interpreting an empty array value in metadata as indicating that the corresponding capability is
+        NOT supported by the server.
+      - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@20',
+                          'hl7.fhir.us.udap-security_1.0.0@21'
+
+    input :interprets_metadata_correctly,
+          title: 'Interprets metadata correctly',
+          description: %(
+            I attest that the client application interprets metadata correctly by:
+            - Interpreting an empty array value in metadata as indicating that the corresponding capability is
+              NOT supported by the server.
+            - Using applicable values returned in a server’s UDAP metadata for workflows defined in this guide.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :interprets_metadata_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert interprets_metadata_correctly == 'true',
+             'Client application did not demonstrate correct interpretation of metadata.'
+      pass interprets_metadata_correctly_note if interprets_metadata_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/oauth2_protocol_compliance_test.rb

@@ -0,0 +1,50 @@
+module UDAPSecurityTestKit
+  class OAuth2ProtocolComplianceAttestationTest < Inferno::Test
+    title 'Complies with OAuth 2.0 Protocol Requirements'
+    id :udap_security_oauth2_protocol_compliance
+    description %(
+      Client application complies with OAuth 2.0 protocol requirements:
+      - Ignores unrecognized response parameters in the authorization response when receiveing an response to an
+        authorization request.
+      - Follows the token request and response protocol as defined in RFC 6749 Sections 4.1.3 and 4.1.4 when
+        authenticating with a shared secret.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@139',
+                          'hl7.fhir.us.udap-security_1.0.0@162'
+
+    input :oauth2_protocol_compliance,
+          title: 'Complies with OAuth 2.0 Protocol Requirements',
+          description: %(
+            I attest that the client application complies with OAuth 2.0 protocol requirements:
+            - Ignores unrecognized response parameters in the authorization response when receiveing an response to an
+              authorization request.
+            - Follows the token request and response protocol as defined in RFC 6749 Sections 4.1.3 and 4.1.4 when
+              authenticating with a shared secret.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+
+    input :oauth2_protocol_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert oauth2_protocol_compliance == 'true',
+             'Client application did not comply with OAuth 2.0 protocol requirements.'
+      pass oauth2_protocol_compliance_note if oauth2_protocol_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/preferred_identity_provider_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class PreferredIdentityProviderAttestationTest < Inferno::Test
+    title 'Indicates preferred Identity Provider'
+    id :udap_security_preferred_idp
+    description %(
+      Client application indicates the preferred Identity Provider (IdP) to the data holder by:
+      - Adding `udap` to the list of scopes provided in the `scope` query parameter.
+      - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@236',
+                          'hl7.fhir.us.udap-security_1.0.0@237'
+
+    input :indicates_preferred_idp,
+          title: 'Indicates preferred Identity Provider',
+          description: %(
+            I attest that the client application indicates the preferred Identity Provider (IdP) to the data holder by:
+            - Adding `udap` to the list of scopes provided in the `scope` query parameter.
+            - Adding the extension query parameter `idp` with a value equal to the base URL of the preferred OIDC IdP.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :indicates_preferred_idp_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert indicates_preferred_idp == 'true',
+             'Client application did not demonstrate correct indication of the preferred Identity Provider.'
+      pass indicates_preferred_idp_note if indicates_preferred_idp_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/private_key_authentication_test.rb

@@ -0,0 +1,47 @@
+module UDAPSecurityTestKit
+  class PrivateKeyAuthenticationAttestationTest < Inferno::Test
+    title 'Uses private key authentication correctly'
+    id :udap_security_private_key_authentication
+    description %(
+      Client application uses private key authentication correctly as per
+      Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) by:
+      - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating
+        with a private key and Authentication Token.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@164',
+                          'hl7.fhir.us.udap-security_1.0.0@224'
+
+    input :private_key_authentication_correctly,
+          title: 'Uses private key authentication correctly',
+          description: %(
+            I attest that the client application uses private key authentication correctly as per
+            Section [5.2.1](https://hl7.org/fhir/us/udap-security/STU1/b2b.html#constructing-authentication-token) by:
+            - Omitting the HTTP Authorization header and client secret in token endpoint requests when authenticating
+              with a private key and Authentication Token.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :private_key_authentication_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert private_key_authentication_correctly == 'true',
+             'Client application did not demonstrate correct private key authentication.'
+      pass private_key_authentication_correctly_note if private_key_authentication_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/resource_holder_authentication_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class ResourceHolderTokenEndpointAuthenticationAttestationTest < Inferno::Test
+    title 'Authenticates to IdP Token Endpoint'
+    id :udap_security_resource_holder_token_endpoint_authentication
+    description %(
+      The Resource authenticates to the IdP’s token endpoint when requesting an ID token
+      and access token, as detailed in Section 5 of UDAP JWT-based Client Authentication.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@281'
+
+    input :resource_holder_token_endpoint_authentication,
+          title: 'Authenticates to IdP Token Endpoint',
+          description: %(
+            I attest that the Resource Holder authenticates to the IdP’s token endpoint when requesting an ID token
+            and access token, as detailed in Section 5 of UDAP JWT-based Client Authentication.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+
+    input :resource_holder_token_endpoint_authentication_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert resource_holder_token_endpoint_authentication == 'true',
+             'Resource Holder did not authenticate to the IdP’s token endpoint as required.'
+      if resource_holder_token_endpoint_authentication_note.present?
+        pass resource_holder_token_endpoint_authentication_note
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/software_statement_registration_test.rb

@@ -0,0 +1,49 @@
+module UDAPSecurityTestKit
+  class SoftwareStatementAndRegistrationAttestationTest < Inferno::Test
+    title 'Complies with Software Statement and Registration'
+    id :udap_security_software_statement_registration
+    description %(
+      Client application complies with the requirements for Software Statement and Registration:
+      - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT
+        before the time specified in the `exp` claim has passed.
+      - Interprets a registration response containing an empty `grant_types` array as a confirmation that the
+        registration for the `client_id` listed in the response has been cancelled by the Authorization Server.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@82',
+                          'hl7.fhir.us.udap-security_1.0.0@123'
+
+    input :software_statement_registration_compliance,
+          title: 'Complies with the requirements for Software Statement and Registration',
+          description: %(
+            I attest that the client application complies with the requirements for Software Statement and Registration:
+            - Ensures that the `jti` claim in the JWT is not reused in another software statement or authentication JWT
+              before the time specified in the `exp` claim has passed.
+            - Interprets a registration response containing an empty `grant_types` array as a confirmation that the
+              registration for the `client_id` listed in the response has been cancelled by the Authorization Server.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :software_statement_registration_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert software_statement_registration_compliance == 'true',
+             'Client application did not comply with the requirements for Software Statement and Registration.'
+      pass software_statement_registration_compliance_note if software_statement_registration_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/token_request_authentication_test.rb

@@ -0,0 +1,51 @@
+module UDAPSecurityTestKit
+  class TokenRequestAuthenticationAttestationTest < Inferno::Test
+    title 'Authenticates correctly when making token requests'
+    id :udap_security_token_request_authentication
+    description %(
+      Client application authenticates correctly when making token requests as described in
+      [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) by:
+      - Including the `client_id` parameter in the token request if the client is not authenticating with the
+        authorization server.
+      - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client
+        is a Confidential Client.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@144',
+                          'hl7.fhir.us.udap-security_1.0.0@280'
+
+    input :token_request_authentication_correctly,
+          title: 'Authenticates correctly when making token requests',
+          description: %(
+            I attest that the client application authenticates correctly when making token requests as
+            described in in [Section 3.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1) by:
+            - Including the `client_id` parameter in the token request if the client is not authenticating
+              with the authorization server.
+            - Authenticating to the Token Endpoint using the method registered for its `client_id` if the client
+              is a Confidential Client.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :token_request_authentication_correctly_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert token_request_authentication_correctly == 'true',
+             'Client application did not demonstrate correct authentication during token requests.'
+      pass token_request_authentication_correctly_note if token_request_authentication_correctly_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/trust_community_query_parameters_test.rb

@@ -0,0 +1,43 @@
+module UDAPSecurityTestKit
+  class TrustCommunityAndQueryParametersAttestationTest < Inferno::Test
+    title 'Complies with Trust Community and Query Parameter'
+    id :udap_security_trust_community_query_parameters
+    description %(
+      Client application ensures the value of the `community` query parameter is a valid URI as
+      determined by the trust community.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@61'
+
+    input :community_query_parameter_compliance,
+          title: 'Complies with Trust Community and Query Parameter',
+          description: %(
+            I attest that the client application ensures the value of the `community` query parameter is a valid URI
+            as determined by the trust community.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :community_query_parameter_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert community_query_parameter_compliance == 'true',
+             'Client application did not ensure the `community` query parameter value is a valid URI
+              as determined by the trust community.'
+      pass community_query_parameter_compliance_note if community_query_parameter_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client/validation_confidentiality_test.rb

@@ -0,0 +1,49 @@
+module UDAPSecurityTestKit
+  class ValidationAndConfidentialityAttestationTest < Inferno::Test
+    title 'Complies with Validation and Confidentiality'
+    id :udap_security_validation_confidentiality
+    description %(
+      Client applications complies with the requirements for Validation and Confidentiality:
+      - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to
+        ensure it matches the value sent in the original request.
+      - Ensures confidentiality of client passwords and other client credentials by securely storing and
+        transmitting them.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@274',
+                          'hl7.fhir.us.udap-security_1.0.0@286'
+
+    input :validation_confidentiality_compliance,
+          title: 'Complies with requirements for Validation and Confidentiality',
+          description: %(
+            I attest that the client applications complies with the requirements for Validation and Confidentiality:
+            - Validates the `state` parameter returned by the Resource Holder in response to an authorization request to
+              ensure it matches the value sent in the original request.
+            - Ensures confidentiality of client passwords and other client credentials by securely storing and
+              transmitting them.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :validation_confidentiality_compliance_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert validation_confidentiality_compliance == 'true',
+             'Client application did not validate the `state` parameter returned by the Resource Holder.'
+      pass validation_confidentiality_compliance_note if validation_confidentiality_compliance_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/client_attestation_group.rb

@@ -0,0 +1,48 @@
+require_relative 'client/client_authorization_code_usage_test'
+require_relative 'client/b2b_authorization_extension_object_test'
+require_relative 'client/client_security_csrf_protection_test'
+require_relative 'client/cryptographic_algorithms_test'
+require_relative 'client/data_holder_auth_request_scope_test'
+require_relative 'client/idp_authentication_compliance_test'
+require_relative 'client/idp_supports_required_scopes_test'
+require_relative 'client/jti_reuse_prevention_test'
+require_relative 'client/metadata_interpretation_test'
+require_relative 'client/oauth2_protocol_compliance_test'
+require_relative 'client/preferred_identity_provider_test'
+require_relative 'client/private_key_authentication_test'
+require_relative 'client/resource_holder_authentication_test'
+require_relative 'client/software_statement_registration_test'
+require_relative 'client/token_request_authentication_test'
+require_relative 'client/trust_community_query_parameters_test'
+require_relative 'client/validation_confidentiality_test'
+
+module UDAPSecurityTestKit
+  class ClientAttestationGroup < Inferno::TestGroup
+    id :udap_client_v100_visual_inspection_and_attestation
+    title 'Visual Inspection and Attestation'
+    optional
+
+    description <<~DESCRIPTION
+      Perform visual inspections or attestations to ensure that the Client is conformant to the UDAP IG requirements.
+    DESCRIPTION
+
+    run_as_group
+    test from: :udap_security_client_auth_code_usage
+    test from: :udap_security_crypto_algorithms_and_protocols
+    test from: :udap_security_idp_supports_scopes
+    test from: :udap_security_jti_reuse_prevention
+    test from: :udap_security_metadata_interpretation
+    test from: :udap_security_preferred_idp
+    test from: :udap_security_private_key_authentication
+    test from: :udap_security_token_request_authentication
+    test from: :udap_security_oauth2_protocol_compliance
+    test from: :udap_security_resource_holder_token_endpoint_authentication
+    test from: :udap_security_software_statement_registration
+    test from: :udap_security_b2b_authorization_extension_object
+    test from: :udap_security_client_security_csrf_protection
+    test from: :udap_security_data_holder_auth_request_scope
+    test from: :udap_security_idp_authentication_compliance
+    test from: :udap_security_validation_confidentiality
+    test from: :udap_security_trust_community_query_parameters
+  end
+end