udap_security_test_kit 0.11.6 → 0.12.0

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_construction_test.rb

@@ -0,0 +1,56 @@
+module UDAPSecurityTestKit
+  class AuthenticationRequestConstructionAttestationTest < Inferno::Test
+    title 'Complies with OpenID Connect requirements in construction'
+    id :oidc_auth_request_construction
+    description %(
+      Authorization Server complies ith OpenID Connect requirements and ensures:
+      - HTTP GET and POST methods are supported at the Authorization Endpoint.
+      - The `openid` scope value is included in requests.
+      - A `scope` parameter is present and contains the `openid` scope value on an authentication request
+      - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid.
+      - The `redirect_uri` exactly matches pre-registered values.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@246',
+                          'hl7.fhir.us.udap-security_1.0.0@247',
+                          'hl7.fhir.us.udap-security_1.0.0@248',
+                          'hl7.fhir.us.udap-security_1.0.0@249',
+                          'hl7.fhir.us.udap-security_1.0.0@250',
+                          'hl7.fhir.us.udap-security_1.0.0@251',
+                          'hl7.fhir.us.udap-security_1.0.0@259'
+
+    input :auth_request_construction_correct,
+          title: 'Authentication Requests: Complies with OpenID Connect requirements',
+          description: %(
+            I attest that the Authorization Server complies with OpenID Connect requirements and ensures:
+            - HTTP GET and POST methods are supported at the Authorization Endpoint.
+            - The `openid` scope value is included in requests.
+            - A `scope` parameter is present and contains the `openid` scope value on an authentication request
+            - Required parameters (`response_type`, `client_id`, `redirect_uri`) are present and valid.
+            - The `redirect_uri` exactly matches pre-registered values.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :auth_request_construction_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert auth_request_construction_correct == 'true',
+             'Authentication Request Construction does not comply with OpenID Connect requirements.'
+      pass auth_request_construction_note if auth_request_construction_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group/authentication_request_validation_test.rb

@@ -0,0 +1,60 @@
+module UDAPSecurityTestKit
+  class AuthenticationRequestValidationAttestationTest < Inferno::Test
+    title 'Complies with OpenID Connect requirements in validation'
+    id :oidc_auth_request_validation
+    description %(
+      Authorization Server complies with OpenID Connect requirements and ensures:
+      - Validation of all OAuth 2.0 parameters.
+      - Verification that the `scope` parameter contains the `openid` value.
+      - Required parameters are present and conform to the specification.
+      - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter.
+      - Implementation of CSRF and Clickjacking protections.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@258',
+                          'hl7.fhir.us.udap-security_1.0.0@259',
+                          'hl7.fhir.us.udap-security_1.0.0@260',
+                          'hl7.fhir.us.udap-security_1.0.0@261',
+                          'hl7.fhir.us.udap-security_1.0.0@262',
+                          'hl7.fhir.us.udap-security_1.0.0@263',
+                          'hl7.fhir.us.udap-security_1.0.0@264',
+                          'hl7.fhir.us.udap-security_1.0.0@265',
+                          'hl7.fhir.us.udap-security_1.0.0@266',
+                          'hl7.fhir.us.udap-security_1.0.0@267',
+                          'hl7.fhir.us.udap-security_1.0.0@269'
+
+    input :auth_request_validation_correct,
+          title: 'Authentication Requests: Complies with OpenID Connect requirements in validation',
+          description: %(
+            I attest that the Authorization Server complies with OpenID Connect requirements and ensures:
+            - Validation of all OAuth 2.0 parameters.
+            - Verification that the `scope` parameter contains the `openid` value.
+            - Required parameters are present and conform to the specification.
+            - Proper handling of the `sub` Claim, `id_token_hint`, and `prompt` parameter.
+            - Implementation of CSRF and Clickjacking protections.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :auth_request_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert auth_request_validation_correct == 'true',
+             'Authentication Request Validation does not comply with OpenID Connect requirements.'
+      pass auth_request_validation_note if auth_request_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authentication_requests_group.rb

@@ -0,0 +1,13 @@
+require_relative 'authentication_requests_group/authentication_request_construction_test'
+require_relative 'authentication_requests_group/authentication_request_validation_test'
+
+module UDAPSecurityTestKit
+  class OpenIDConnectAuthenticationRequestsAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_authentication_requests_group
+    title 'Authentication Requests'
+
+    run_as_group
+    test from: :oidc_auth_request_construction
+    test from: :oidc_auth_request_validation
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_lifetime_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class AccessTokenLifetimeAttestationTest < Inferno::Test
+    title 'Limits lifetime of access tokens to no longer than 60 minutes'
+    id :udap_security_access_token_lifetime
+    description %(
+      The Authorization Server issues access tokens with a lifetime no longer than 60 minutes for all successful
+      token requests.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@184'
+
+    input :access_token_lifetime_correct,
+          title: 'Authorization Code and Token Requests: Limits lifetime of access tokens to no longer than 60 minutes',
+          description: %(
+            I attest that the Authorization Server issues access tokens with a lifetime no longer than 60 minutes for
+            all successful token requests.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :access_token_lifetime_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert access_token_lifetime_correct == 'true',
+             'Authorization Server did not issue access tokens with a lifetime no longer than 60 minutes.'
+      pass access_token_lifetime_note if access_token_lifetime_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/access_token_request_validation_test.rb

@@ -0,0 +1,51 @@
+module UDAPSecurityTestKit
+  class AccessTokenRequestValidationAttestationTest < Inferno::Test
+    title 'Validates access token requests correctly'
+    id :udap_security_access_token_request_validation
+    description %(
+      The Authorization Server validates access token requests by:
+      - Requiring client authentication for confidential clients or clients issued credentials.
+      - Authenticating the client if client authentication is included.
+      - Verifying that the authorization code is valid.
+      - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@146',
+                          'hl7.fhir.us.udap-security_1.0.0@147',
+                          'hl7.fhir.us.udap-security_1.0.0@149',
+                          'hl7.fhir.us.udap-security_1.0.0@150'
+
+    input :access_token_request_validation_correct,
+          title: 'Authorization Code and Token Requests: Validates access token requests correctly',
+          description: %(
+            I attest that the Authorization Server validates access token requests by:
+            - Requiring client authentication for confidential clients or clients issued credentials.
+            - Authenticating the client if client authentication is included.
+            - Verifying that the authorization code is valid.
+            - Ensuring the `redirect_uri` parameter is present and matches the initial authorization request.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :access_token_request_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert access_token_request_validation_correct == 'true',
+             'Authorization Server did not validate access token requests correctly.'
+      pass access_token_request_validation_note if access_token_request_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/authorization_code_usage_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class AuthorizationCodeUsageAttestationTest < Inferno::Test
+    title 'Ensures authorization code is used correctly'
+    id :udap_security_auth_code_usage
+    description %(
+      The Authorization Server ensures that:
+      - Authorization codes are not used more than once.
+      - Authorization codes expire shortly after issuance to mitigate the risk of leaks.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@135',
+                          'hl7.fhir.us.udap-security_1.0.0@137'
+
+    input :authorization_code_usage_correct,
+          title: 'Authorization Code and Token Requests: Ensures Authorization Code is used correctly',
+          description: %(
+            I attest that the Authorization Server ensures:
+            - Authorization codes are not used more than once.
+            - Authorization codes expire shortly after issuance to mitigate the risk of leaks.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :authorization_code_usage_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert authorization_code_usage_correct == 'true',
+             'Authorization Server did not ensure correct usage of authorization codes.'
+      pass authorization_code_usage_note if authorization_code_usage_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group/resource_holder_authorization_flow_test.rb

@@ -0,0 +1,37 @@
+module UDAPSecurityTestKit
+  class AuthorizationCodeFlowAttestationTest < Inferno::Test
+    title 'Resource Holder uses the authorization code flow'
+    id :udap_security_authorization_code_flow
+    description %(
+      The Resource Holder uses the authorization code flow when redirecting the user
+      to the IdP’s authorization endpoint.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@253'
+
+    input :authorization_code_flow_correct,
+          title: 'Authorization Code and Token Requests: Resource Holder uses authorization code flow',
+          description: %(
+            I attest that the Resource Holder uses the authorization code flow when redirecting
+            the user to the IdP’s authorization endpoint.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :authorization_code_flow_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert authorization_code_flow_correct == 'true',
+             'Resource Holder does not use the authorization code flow when redirecting the user to the
+             IdP’s authorization endpoint.'
+      pass authorization_code_flow_note if authorization_code_flow_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/authorization_code_token_requests_group.rb

@@ -0,0 +1,17 @@
+require_relative 'authorization_code_token_requests_group/authorization_code_usage_test'
+require_relative 'authorization_code_token_requests_group/access_token_request_validation_test'
+require_relative 'authorization_code_token_requests_group/access_token_lifetime_test'
+require_relative 'authorization_code_token_requests_group/resource_holder_authorization_flow_test'
+
+module UDAPSecurityTestKit
+  class AuthorizationCodeTokenRequestsAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_authorization_code_token_requests_group
+    title 'Authorization Code and Token Requests'
+
+    run_as_group
+    test from: :udap_security_auth_code_usage
+    test from: :udap_security_access_token_request_validation
+    test from: :udap_security_access_token_lifetime
+    test from: :udap_security_authorization_code_flow
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/client_certificate_storage_test.rb

@@ -0,0 +1,36 @@
+module UDAPSecurityTestKit
+  class ClientCertificateStorageAttestationTest < Inferno::Test
+    title 'Authorization Server stores client certificate for authentication'
+    id :udap_security_client_certificate_storage
+    description %(
+      The Authorization Server stores the certificate provided by the Client for
+      use in validating subsequent client authentication attempts.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@112'
+
+    input :client_certificate_storage_correct,
+          title: 'Client Authentication: Authorization Server stores client certificate',
+          description: %(
+            I attest that the Authorization Server stores the certificate provided by the Client for
+            use in validating subsequent client authentication attempts.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :client_certificate_storage_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert client_certificate_storage_correct == 'true',
+             'Authorization Server does not store the client certificate for use in subsequent authentication attempts.'
+      pass client_certificate_storage_note if client_certificate_storage_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group/no_client_credentials_native_apps_test.rb

@@ -0,0 +1,38 @@
+module UDAPSecurityTestKit
+  class NoClientCredentialsForNativeAppsAttestationTest < Inferno::Test
+    title 'Does not issue client credentials to native/user-agent-based apps'
+    id :udap_security_no_client_credentials_native_apps
+    description %(
+      The Authorization Server does not issue client passwords or other client
+      credentials to native application or user-agent-based application clients for the
+      purpose of client authentication.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@287'
+
+    input :no_client_credentials_native_apps_correct,
+          title: 'Client Authentication: Does not issue client credentials to native/user-agent-based apps',
+          description: %(
+            I attest that the Authorization Server does not issue client passwords or other client
+            credentials to native application or user-agent-based application clients for the
+            purpose of client authentication.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :no_client_credentials_native_apps_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert no_client_credentials_native_apps_correct == 'true',
+             'Authorization Server issues client credentials to native or user-agent-based application clients.'
+      pass no_client_credentials_native_apps_note if no_client_credentials_native_apps_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/client_authentication_group.rb

@@ -0,0 +1,13 @@
+require_relative 'client_authentication_group/client_certificate_storage_test'
+require_relative 'client_authentication_group/no_client_credentials_native_apps_test'
+
+module UDAPSecurityTestKit
+  class ClientAuthenticationGroup < Inferno::TestGroup
+    id :udap_server_v100_client_authentication_group
+    title 'Client Authentication and Credential Management'
+
+    run_as_group
+    test from: :udap_security_client_certificate_storage
+    test from: :udap_security_no_client_credentials_native_apps
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/certification_handling_test.rb

@@ -0,0 +1,45 @@
+module UDAPSecurityTestKit
+  class CertificationHandlingAttestationTest < Inferno::Test
+    title 'Handles certifications correctly'
+    id :udap_security_certification_handling
+    description %(
+      The Authorization Server handles certifications correctly:
+      - Ignores unsupported or unrecognized certifications.
+      - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@116',
+                          'hl7.fhir.us.udap-security_1.0.0@118'
+
+    input :certification_handling_correct,
+          title: 'Dynamic Client Registration: Handles certifications correctly',
+          description: %(
+            I attest that the Authorization Server handles certifications correctly:
+            - Ignores unsupported or unrecognized certifications.
+            - Communicates required certifications via the `udap_certifications_required` element in its UDAP metadata.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :certification_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert certification_handling_correct == 'true',
+             'Authorization Server did not handle certifications correctly.'
+      pass certification_handling_note if certification_handling_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/client_id_modification_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class ClientIDModificationAttestationTest < Inferno::Test
+    title 'Handles client ID modification correctly'
+    id :udap_security_client_id_modification
+    description %(
+      Authorization Server cancels the registration for the previous `client_id` if it returns a different `client_id`
+      in response to a registration modification request.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@121'
+
+    input :client_id_modification_correct,
+          title: 'Dynamic Client Registration: Handles client ID modification correctly',
+          description: %(
+            I attest that the Authorization Server cancels the registration for the previous `client_id` if it
+            returns a different `client_id` in response to a registration modification request.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :client_id_modification_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert client_id_modification_correct == 'true',
+             'Authorization Server did not handle client ID modification correctly.'
+      pass client_id_modification_note if client_id_modification_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group/dynamic_client_registration_validation_test.rb

@@ -0,0 +1,48 @@
+module UDAPSecurityTestKit
+  class DynamicClientRegistrationValidationAttestationTest < Inferno::Test
+    title 'Validates requests correctly'
+    id :udap_security_dynamic_client_registration_validation
+    description %(
+      The Authorization Server validates dynamic client registration requests by:
+      - Ensuring the `sub` value matches the `iss` value.
+      - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL.
+      - Ensuring the software statement is unexpired.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@107',
+                          'hl7.fhir.us.udap-security_1.0.0@108',
+                          'hl7.fhir.us.udap-security_1.0.0@109'
+
+    input :dynamic_client_registration_validation_correct,
+          title: 'Dynamic Client Registration: Validates requests correctly',
+          description: %(
+            I attest that the Authorization Server validates dynamic client registration requests by:
+            - Ensuring the `sub` value matches the `iss` value.
+            - Ensuring the `aud` value contains the Authorization Server’s registration endpoint URL.
+            - Ensuring the software statement is unexpired.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              {
+                label: 'Yes',
+                value: 'true'
+              },
+              {
+                label: 'No',
+                value: 'false'
+              }
+            ]
+          }
+    input :dynamic_client_registration_validation_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert dynamic_client_registration_validation_correct == 'true',
+             'Authorization Server did not validate dynamic client registration requests correctly.'
+      pass dynamic_client_registration_validation_note if dynamic_client_registration_validation_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/dynamic_client_registration_group.rb

@@ -0,0 +1,15 @@
+require_relative 'dynamic_client_registration_group/certification_handling_test'
+require_relative 'dynamic_client_registration_group/client_id_modification_test'
+require_relative 'dynamic_client_registration_group/dynamic_client_registration_validation_test'
+
+module UDAPSecurityTestKit
+  class DynamicClientRegistrationAttestationGroup < Inferno::TestGroup
+    id :udap_server_v100_dynamic_client_registration_group
+    title 'Dynamic Client Registration'
+
+    run_as_group
+    test from: :udap_security_dynamic_client_registration_validation
+    test from: :udap_security_certification_handling
+    test from: :udap_security_client_id_modification
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/deny_token_request_test.rb

@@ -0,0 +1,42 @@
+module UDAPSecurityTestKit
+  class DenyTokenRequestAttestationTest < Inferno::Test
+    title 'Denies token request that cannot be validated from x5c parameter'
+    id :udap_security_deny_token_request
+    description %(
+      Authorization Server denies the token request if:
+      - JWT signature cannot be validated using the public key from the x5c parameter.
+      - A trusted certificate chain cannot be built and validated from the x5c parameter.
+      - Required parameter is missing or a parameter is invalid.
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@174',
+                          'hl7.fhir.us.udap-security_1.0.0@176',
+                          'hl7.fhir.us.udap-security_1.0.0@183'
+
+    input :deny_token_request,
+          title: 'Error Handling: Denies token request that cannot be validated from x5c parameter',
+          description: %(
+            I attest that the Authorization Server denies the token request if:
+            - JWT signature cannot be validated using the public key from the x5c parameter.
+            - A trusted certificate chain cannot be built and validated from the x5c parameter.
+            - Required parameter is missing or a parameter is invalid.
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :deny_token_request_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert deny_token_request == 'true',
+             'Authorization Server does not deny the token request when parameter(s) are invalid.'
+      pass deny_token_request_note if deny_token_request_note.present?
+    end
+  end
+end

data/lib/udap_security_test_kit/visual_inspection_and_attestation/server/error_handling_group/general_error_response_test.rb

@@ -0,0 +1,39 @@
+module UDAPSecurityTestKit
+  class GeneralErrorResponseAttestationTest < Inferno::Test
+    title 'Returns error response on authentication request errors'
+    id :udap_security_general_error_response
+    description %(
+      Authorization Server returns an error response if it encounters any error while validating
+      an authentication request, as per
+      [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation).
+    )
+    verifies_requirements 'hl7.fhir.us.udap-security_1.0.0@264'
+
+    input :general_error_response_handling_correct,
+          title: 'Error Handling: Returns error response on authentication request errors',
+          description: %(
+            I attest that the Authorization Server returns an error response if it encounters any
+            error while validating an authentication request, as per
+            [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation).
+          ),
+          type: 'radio',
+          default: 'false',
+          options: {
+            list_options: [
+              { label: 'Yes', value: 'true' },
+              { label: 'No', value: 'false' }
+            ]
+          }
+    input :general_error_response_handling_note,
+          title: 'Notes, if applicable:',
+          type: 'textarea',
+          optional: true
+
+    run do
+      assert general_error_response_handling_correct == 'true',
+             'Authorization Server does not return an error response when it encounters an error
+              while validating an authentication request.'
+      pass general_error_response_handling_note if general_error_response_handling_note.present?
+    end
+  end
+end