| Name | /FHIRSandbox/DaVinci/FHIR4-0-1-DTR/EHR-Launch/01-DTR-SMART-EHR-Launch |
|---|
| Description | DaVinci DTR - SMART on FHIR EHR Launch - Test the EHR Launch with Practitioner Scope, OpenID Connect and Token Refresh. Authenticate user and refresh token to get new access token. Once the test goes to WAITING FOR LAUNCH Status, launch the appropriate request from the EHR server. A URL with correct proxy information is provided inside the waiting test by clicking on the Waiting for Launch status icon. |
|---|
| Version | 1 | Latest | 1 |
|---|
<?xml version="1.0" encoding="UTF-8"?>
<TestScript xmlns="http://hl7.org/fhir">
<id value="dtr-smart-ehr-launch"/>
<meta>
<profile value="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript"/>
</meta>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>DaVinci DTR - SMART on FHIR EHR Launch</p>
</div>
</text>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-decodeIdToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/DecodeIdToken.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-extractKeyBodyFromJwksAndValidateKid"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/ExtractKeyBodyFromJwksAndValidateKid.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyIdToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyIdTokenAgainstJwks.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyOAuth2Scopes.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyTLS.groovy"/>
</extension>
</extension>
<url value="http://wildfhir.aegis.net/fhir4-0-1/TestScript/dtr-smart-ehr-launch"/>
<name value="DaVinciDTREHRLaunch"/>
<title value="DaVinci DTR - SMART on FHIR EHR Launch"/>
<status value="active"/>
<date value="2020-12-28"/>
<publisher value="AEGIS.net, Inc."/>
<contact>
<name value="Touchstone Support"/>
<telecom>
<system value="email"/>
<value value="Touchstone_Support@aegis.net"/>
<use value="work"/>
</telecom>
</contact>
<description value="DaVinci DTR - SMART on FHIR EHR Launch - Test the EHR Launch with Practitioner Scope, OpenID Connect and Token Refresh. Authenticate user and refresh token to get new access token. Once the test goes to WAITING FOR LAUNCH Status, launch the appropriate request from the EHR server. A URL with correct proxy information is provided inside the waiting test by clicking on the Waiting for Launch status icon."/>
<copyright value="(c) AEGIS.net, Inc. 2020"/>
<fixture id="get-token-bad-code">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-get-token-bad-code.frm"/>
</resource>
</fixture>
<fixture id="get-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-get-token.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-valid-no-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-refresh-token-no-scope.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-valid-with-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-refresh-token-with-scope.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-with-invalid-refresh-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-refresh-token-with-invalid-refresh-token.frm"/>
</resource>
</fixture>
<variable>
<name value="authorizeEndpoint"/>
<path value=".authorization_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<variable>
<name value="tokenEndpoint"/>
<path value=".token_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="launch"/>
</extension>
<name value="smartLaunchParamLaunch1"/>
<sourceId value="smartLaunchRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="iss"/>
</extension>
<name value="smartLaunchParamIss1"/>
<sourceId value="smartLaunchRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="state"/>
</extension>
<name value="oauth2AuthzRequest1StateParam"/>
<sourceId value="oauth2AuthzRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="redirect_uri"/>
</extension>
<name value="oauth2AuthzRequest1RedirectUri"/>
<sourceId value="oauth2AuthzRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="code"/>
</extension>
<name value="oauth2AuthzRedirect1AuthCode"/>
<sourceId value="oauth2AuthzRedirect1"/>
</variable>
<variable>
<name value="ehrLaunchScopes"/>
<defaultValue value="launch openid fhirUser offline_access user/Medication.read user/AllergyIntolerance.read user/CarePlan.read user/CareTeam.read user/Condition.read user/Device.read user/DiagnosticReport.read user/DocumentReference.read user/Encounter.read user/Goal.read user/Immunization.read user/Location.read user/MedicationRequest.read user/Observation.read user/Organization.read user/Patient.read user/Practitioner.read user/PractitionerRole.read user/Procedure.read user/Provenance.read user/RelatedPerson.read"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseAccessToken"/>
<path value=".access_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseRefreshToken"/>
<path value=".refresh_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseGrantedScopes"/>
<path value=".scope"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponse1IdToken"/>
<path value=".id_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2RefreshTokenResponseAccessToken"/>
<path value=".access_token"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
</variable>
<variable>
<name value="jwksUriInOpenIdConfigResponse"/>
<path value=".jwks_uri"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<variable>
<name value="issuerInOpenIdConfigResponse"/>
<path value=".issuer"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<variable>
<name value="launchValue"/>
<description value="Enter the launch value for the EHR Launch request."/>
<hint value="[ex., patient id]"/>
</variable>
<test id="01-EHRLaunchWithPractitionerScope">
<name value="01 - EHR Launch With Practitioner Scope"/>
<description value="Perform EHR SMART launch sequence and test OpenID Connect and token refresh functionality."/>
<action>
<operation>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-smartLaunchRequestId">
<valueId value="smartLaunchRequest1"/>
</extension>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="smart-launch"/>
</type>
<description value="The EHR server redirects the client browser to Touchstone app launch URL"/>
<encodeRequestUrl value="true"/>
<params value="?launch=${launchValue}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The EHR server redirects client browser to Touchstone app launch URI. The client browser sent from EHR server to the app launch URI of client app as described in SMART EHR Launch Sequence."/>
<direction value="request"/>
<operator value="contains"/>
<requestURL value="/oauth2/smart/launch"/>
<sourceId value="smartLaunchRequest1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The EHR provides the iss parameter to the Touchstone app launch URI via the client browser querystring"/>
<direction value="request"/>
<operator value="notEmpty"/>
<requestURL value="queryParam: ?iss"/>
<sourceId value="smartLaunchRequest1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The EHR provides a launch parameter to the Touchstone app launch URI via the client browser querystring"/>
<direction value="request"/>
<operator value="notEmpty"/>
<requestURL value="queryParam: ?launch"/>
<sourceId value="smartLaunchRequest1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointName"/>
</extension>
<extension url="value">
<valueString value="OAuth2 Authorize Endpoint"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointURL"/>
</extension>
<extension url="value">
<valueString value="${authorizeEndpoint}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OAuth 2.0 authorize endpoint is secured by transport layer security (TLS)."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-oauth2AuthzRequestId">
<valueId value="oauth2AuthzRequest1"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-oauth2AuthzRedirectId">
<valueId value="oauth2AuthzRedirect1"/>
</extension>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-authorize"/>
</type>
<description value="Redirect user to the authorize endpoint for target test system specified in smart configuration. The 'launch' parameter will be set to the 'launch' parameter received earlier in 'smartLaunchRequest1'. The 'aud' parameter value will be set to the 'iss' parameter received earlier in 'smartLaunchRequest1'."/>
<encodeRequestUrl value="true"/>
<url value="${authorizeEndpoint}?client_id=${dest1SystemConfig.clientId}&launch=${smartLaunchParamLaunch1}&aud=${smartLaunchParamIss1}&scope=${ehrLaunchScopes}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth server redirects client browser to the app redirect URI. The client browser is redirected from OAuth server to the redirect URI of client app as described in SMART authorization sequence."/>
<direction value="request"/>
<operator value="contains"/>
<requestURL value="/oauth2/authcode/redirect"/>
<sourceId value="oauth2AuthzRedirect1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The client app receives code parameter. The code and state are required querystring parameters. The state must be the exact value received from the client."/>
<operator value="notEmpty"/>
<requestURL value="queryParam: ?code"/>
<sourceId value="oauth2AuthzRedirect1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Touchstone Client app receives the correct state parameter from OAuth server at redirect URI"/>
<operator value="equals"/>
<requestURL value="queryParam: ?state=${oauth2AuthzRequest1StateParam}"/>
<sourceId value="oauth2AuthzRedirect1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-get-token"/>
</type>
<description value="The OAuth token exchange fails when supplied with an invalid code"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<sourceId value="get-token-bad-code"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange fails when supplied with an invalid code"/>
<operator value="in"/>
<responseCode value="400,401"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-get-token"/>
</type>
<description value="The OAuth token exchange fails when supplied with an invalid client_id"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic invalidClientId:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<sourceId value="get-token-bad-code"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange fails when supplied with an invalid client_id"/>
<operator value="in"/>
<responseCode value="400,401"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-get-token"/>
</type>
<description value="The OAuth token exchange request succeeds when supplied correct information. After obtaining an authorization code, the app trades that code for an access token via HTTP POST to the EHR authorization server’s token endpoint URL, using content-type application/x-www-form-urlencoded."/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2GetTokenResponse1"/>
<sourceId value="get-token"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange request succeeds when supplied with correct information"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange response body contains an access_token."/>
<operator value="notEmpty"/>
<path value=".access_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange response body contains scope."/>
<operator value="notEmpty"/>
<path value=".scope"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="the OAuth token exchange response body contains the token_type value of Bearer."/>
<operator value="in"/>
<path value=".token_type"/>
<sourceId value="oauth2GetTokenResponse1"/>
<value value="Bearer,bearer"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange response body contains expires_in which is required for token refreshes."/>
<operator value="notEmpty"/>
<path value=".expires_in"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange response includes a correct HTTP Cache-Control header. The authorization servers response must include the HTTP Cache-Control response header field with a value of no-store."/>
<headerField value="Cache-Control"/>
<operator value="equals"/>
<sourceId value="oauth2GetTokenResponse1"/>
<value value="no-store"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth token exchange response includes a correct HTTP Pragma header. The authorization servers response must include the HTTP Pragma response header field with a value of no-cache."/>
<headerField value="Pragma"/>
<operator value="equals"/>
<sourceId value="oauth2GetTokenResponse1"/>
<value value="no-cache"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="${ehrLaunchScopes}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<description value="The scopes being input must follow the guidelines specified in the smart-app-launch guide. All scopes requested are expected to be granted."/>
<warningOnly value="true"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="openId"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect scopes used."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="launch"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the user-level access with the OpenID Connect and Refresh Token scopes used."/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="02-OpenID-Connect">
<name value="02 OpenID Connect"/>
<description value="Use OpenID Connect ID token provided during launch sequence to authenticate the user."/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-decodeIdToken"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idToken"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1IdToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponse1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-payload"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header-alg"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header-kid"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-payload-iss"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="Verify the ID token can be decoded."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="oauth2GetTokenResponse1-id-token-payload-iss"/>
</extension>
<description value="Verify that the id_token has iss claim before using it to retrieve open-id configuration in the next operation."/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="get"/>
</type>
<description value="Verify the OpenID Connect well-known configuration can be retrieved. The OpenId Connect configuration can be retrieved as described in the OpenID Connect Discovery 1.0 documentation"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<responseId value="openIdConfigResponse"/>
<url value="${oauth2GetTokenResponse1-id-token-payload-iss}/.well-known/openid-configuration"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration can be retrieved. The OpenId Connect configuration can be retrieved as described in the OpenID Connect Discovery 1.0 documentation"/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'issuer'"/>
<operator value="notEmpty"/>
<path value=".issuer"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'authorization_endpoint'"/>
<operator value="notEmpty"/>
<path value=".authorization_endpoint"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'token_endpoint'"/>
<operator value="notEmpty"/>
<path value=".token_endpoint"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'jwks_uri'"/>
<operator value="notEmpty"/>
<path value=".jwks_uri"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'response_types_supported'"/>
<operator value="notEmpty"/>
<path value=".response_types_supported"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'subject_types_supported'"/>
<operator value="notEmpty"/>
<path value=".subject_types_supported"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the OpenID Connect well-known configuration contains the required field 'id_token_signing_alg_values_supported'"/>
<operator value="notEmpty"/>
<path value=".id_token_signing_alg_values_supported"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="get"/>
</type>
<description value="Confirm the JWKS can be retrieved. Verify that the JWKS can be retrieved from the jwks_uri from the OpenID Connect well-known configuration."/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<responseId value="jwksResponse"/>
<url value="${jwksUriInOpenIdConfigResponse}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="Confirm the JWKS can be retrieved. Verify that the JWKS can be retrieved from the jwks_uri from the OpenID Connect well-known configuration."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-extractKeyBodyFromJwksAndValidateKid"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idTokenHeaderKid"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1-id-token-header-kid}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponse1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="Verify that the key used to sign the id token can be identified in the JWKS."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify that the id token is signed using RSA SHA-256 as required by the SMART app launch framework. This rule verifies that .alg in oauth2GetTokenResponse1-jwksKeyBodyResponse is RS256."/>
<operator value="equals"/>
<path value=".alg"/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<value value="RS256"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify that the id token is signed using RSA SHA-256 as required by the SMART app launch framework. This rule verifies that .alg in oauth2GetTokenResponse1-jwksKeyBodyResponse is RS256."/>
<operator value="equals"/>
<path value=".alg"/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<value value="${oauth2GetTokenResponse1-id-token-header-alg}"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyIdToken"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idToken"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1IdToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="idToken"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-iss"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-sub"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-aud"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-iat"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-exp"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-fhirUser"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify that the ID token payload has a valid signature and exp must represent a time in the future. Extract 'iss', 'sub', 'aud', 'iat', and 'fhirUser' claims for further verifications."/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-iss"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the ID token payload has required 'iss' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-sub"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the ID token payload has required 'sub' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-aud"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the ID token payload has required 'aud' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-iat"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the ID token payload has required 'iat' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-iss"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the ID token 'iss' claim must match the issuer from the OpenID Connect well-known configuration"/>
<operator value="equals"/>
<value value="${issuerInOpenIdConfigResponse}"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-aud"/>
</extension>
<description value="Verify the ID token 'aud' claim must match the clientId of the destination test system"/>
<operator value="equals"/>
<value value="${dest1SystemConfig.clientId}"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-fhirUser"/>
</extension>
<description value="Verify the ID token payload has required 'fhirUser' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="Confirm that the Server rejects unauthorized access."/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer invalid"/>
</requestHeader>
<url value="${idToken-fhirUser}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Confirm that the Server rejects unauthorized acces"/>
<operator value="in"/>
<responseCode value="400,401"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="Confirm the FHIR resource representing the current user can be retrieved. Verify that the fhirUser claim is present in the ID token and that the FHIR resource it refers to can be retrieved. The fhirUser claim must be the url for a Patient, Practitioner, RelatedPerson, or Person resource"/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2GetTokenResponseAccessToken}"/>
</requestHeader>
<url value="${idToken-fhirUser}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify the FHIR resource representing the current user can be retrieved."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="03-Token-Refresh">
<name value="03 Token Refresh"/>
<description value="Use the refresh token to get new access token and verify it can access resources."/>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="The Refresh token exchange fails when supplied invalid Refresh Token"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse3"/>
<sourceId value="refresh-token-with-invalid-refresh-token"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Refresh token exchange fails when supplied invalid Refresh Token"/>
<operator value="in"/>
<responseCode value="400,401,403"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="The Refresh token exchange fails when supplied invalid Client ID"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic invalidClientId:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse3"/>
<sourceId value="refresh-token-valid-no-scope"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Refresh token exchange fails when supplied invalid Client ID"/>
<operator value="in"/>
<responseCode value="400,401,403"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="The Refresh token exchange succeeds when optional scope parameter omitted"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse3"/>
<sourceId value="refresh-token-valid-no-scope"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Refresh token exchange succeeds when optional scope parameter omitted"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="The Refresh token exchange succeeds when optional scope parameter provided"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse4"/>
<sourceId value="refresh-token-valid-with-scope"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Refresh token exchange succeeds when optional scope parameter provided"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="The OAuth refresh token can be used to retrieve the FhirUser"/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2RefreshTokenResponseAccessToken}"/>
</requestHeader>
<url value="${idToken-fhirUser}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The OAuth refresh token exchange response body contains patient context and patient resource can be retrieve with the right credentials"/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Server supplies new refresh token as required by ONC certification criteria. Verifying sure that a new refresh token was just received."/>
<operator value="notEmpty"/>
<path value=".refresh_token"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="The Server supplies new refresh token as required by ONC certification criteria. Verifying sure that the new refresh token received is different from the earlier one in get token."/>
<operator value="notEquals"/>
<path value=".refresh_token"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
<value value="${oauth2GetTokenResponseRefreshToken}"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
</TestScript>