require 'jwt' require_relative 'openid_decode_id_token_test' require_relative 'openid_retrieve_configuration_test' require_relative 'openid_required_configuration_fields_test' require_relative 'openid_retrieve_jwks_test' require_relative 'openid_token_header_test' require_relative 'openid_token_payload_test' require_relative 'openid_fhir_user_claim_test' module SMARTAppLaunch class OpenIDConnectGroup < Inferno::TestGroup id :smart_openid_connect title 'OpenID Connect' short_description 'Demonstrate the ability to authenticate users with OpenID Connect.' description %( # Background OpenID Connect (OIDC) provides the ability to verify the identity of the authorizing user. Within the [SMART App Launch Framework](https://www.hl7.org/fhir/smart-app-launch/1.0.0/index.html), Applications can request an `id_token` be provided with by including the `openid fhirUser` scopes when requesting authorization. # Test Methodology This sequence validates the id token returned as part of the OAuth 2.0 token response. Once the token is decoded, the server's OIDC configuration is retrieved from its well-known configuration endpoint. This configuration is checked to ensure that all required fields are present. Next the keys used to cryptographically sign the id token are retrieved from the url contained in the OIDC configuration. Then the header, payload, and signature of the id token are validated. Finally, the FHIR resource from the `fhirUser` claim in the id token is fetched from the FHIR server. For more information see: * [SMART App Launch Framework](https://www.hl7.org/fhir/smart-app-launch/1.0.0/index.html) * [Scopes for requesting identity data](https://www.hl7.org/fhir/smart-app-launch/1.0.0/scopes-and-launch-context/index.html#scopes-for-requesting-identity-data) * [Apps Requesting Authorization](https://www.hl7.org/fhir/smart-app-launch/1.0.0/index.html#step-1-app-asks-for-authorization) * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html) ) test from: :smart_openid_decode_id_token test from: :smart_openid_retrieve_configuration test from: :smart_openid_required_configuration_fields test from: :smart_openid_retrieve_jwks test from: :smart_openid_token_header test from: :smart_openid_token_payload test from: :smart_openid_fhir_user_claim end end