module ONCCertificationG10TestKit class SMARTPublicStandaloneLaunchGroupTestSTU22 < SMARTAppLaunch::StandaloneLaunchGroupSTU2 title 'Public Client Standalone Launch with OpenID Connect' short_title 'Public Client Launch' input_instructions %( Register Inferno as a standalone application using the following information: * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}` Enter in the appropriate scope to enable patient-level access to all relevant resources. In addition, support for the OpenID Connect (openid fhirUser), refresh tokens (offline_access), and patient context (launch/patient) are required. ) description %( This scenario verifies the ability of systems to support public clients as described in the SMART App Launch implementation specification. Previous scenarios have not required the system under test to demonstrate this specific type of SMART App Launch client. Prior to executing this test, register Inferno as a public standalone application using the following information: * Redirect URI: `#{SMARTAppLaunch::AppRedirectTest.config.options[:redirect_uri]}` Inferno will act as a public client redirect the tester to the the authorization endpoint so that they may provide any required credentials and authorize the application. Upon successful authorization, Inferno will exchange the authorization code provided for an access token. For more information on the #{title}: * [Standalone Launch Sequence](http://hl7.org/fhir/smart-app-launch/STU2.2/index.html#standalone-launch-sequence) ) id :g10_public_standalone_launch_stu2_2 # rubocop:disable Naming/VariableNumber run_as_group config( inputs: { client_id: { name: :public_client_id, title: 'Public Launch Client ID' }, client_secret: { name: :public_client_secret, title: 'Public Launch Client Secret', default: nil, optional: true, locked: true }, requested_scopes: { name: :public_requested_scopes, title: 'Public Launch Scope', default: %( launch/patient openid fhirUser offline_access patient/Medication.rs patient/AllergyIntolerance.rs patient/CarePlan.rs patient/CareTeam.rs patient/Condition.rs patient/Device.rs patient/DiagnosticReport.rs patient/DocumentReference.rs patient/Encounter.rs patient/Goal.rs patient/Immunization.rs patient/Location.rs patient/MedicationRequest.rs patient/Observation.rs patient/Organization.rs patient/Patient.rs patient/Practitioner.rs patient/Procedure.rs patient/Provenance.rs patient/PractitionerRole.rs ).gsub(/\s{2,}/, ' ').strip }, url: { title: 'Public Launch FHIR Endpoint', description: 'URL of the FHIR endpoint used by standalone applications' }, code: { name: :public_code }, state: { name: :public_state }, smart_authorization_url: { title: 'OAuth 2.0 Authorize Endpoint', description: 'OAuth 2.0 Authorize Endpoint provided during the patient standalone launch' }, smart_token_url: { title: 'OAuth 2.0 Token Endpoint', description: 'OAuth 2.0 Token Endpoint provided during the patient standalone launch' }, smart_credentials: { name: :public_smart_credentials }, use_pkce: { default: 'true', locked: true }, pkce_code_challenge_method: { locked: true }, client_auth_type: { name: :public_client_auth_type, locked: true, default: 'public' } }, outputs: { code: { name: :public_code }, token_retrieval_time: { name: :public_token_retrieval_time }, state: { name: :public_state }, id_token: { name: :public_id_token }, refresh_token: { name: :public_refresh_token }, access_token: { name: :public_access_token }, expires_in: { name: :public_expires_in }, patient_id: { name: :public_patient_id }, encounter_id: { name: :public_encounter_id }, received_scopes: { name: :public_received_scopes }, intent: { name: :public_intent }, smart_credentials: { name: :public_smart_credentials } }, requests: { redirect: { name: :public_redirect }, token: { name: :public_token } } ) input_order :url, :public_client_id, :public_client_secret, :public_requested_scopes, :use_pkce, :pkce_code_challenge_method, :smart_authorization_url, :smart_token_url, :authorization_method, :public_client_auth_type test from: :g10_patient_context, config: { inputs: { patient_id: { name: :public_patient_id }, smart_credentials: { name: :public_smart_credentials } } } test do title 'OAuth token exchange response contains OpenID Connect id_token' description %( This test requires that an OpenID Connect id_token is provided to demonstrate authentication capabilies for public clients. ) id :g10_public_launch_id_token input :id_token, name: :public_id_token, locked: true, optional: true run do assert id_token.present?, 'Token response did not provide an id_token as required.' end end children.each do |child| child.inputs.delete(:client_auth_encryption_method) end end end