Name | /FHIRSandbox/DaVinci/FHIR4-0-1-DTR/EHR-Launch/99-DTR-SMART-EHR-Revoke-Token |
Description | DaVinci DTR - SMART on FHIR EHR Launch - Revoke Token (Simple) Tests - Verifies revocation of access granted to an application when the security token is revoked. |
Version | 2 | Latest | 2 |
<?xml version="1.0" encoding="UTF-8"?>
<TestScript xmlns="http://hl7.org/fhir">
<id value="dtr-revoke-token-simple"/>
<meta>
<profile value="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript"/>
</meta>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>DaVinci DTR - SMART on FHIR EHR Launch - Revoke Token (Simple)</p>
</div>
</text>
<url value="http://wildfhir.aegis.net/fhir4-0-1/TestScript/security-fhir-r4-revoke-token-simple"/>
<name value="DaVinciDTREHRRevokeTokenSimple"/>
<title value="DaVinci DTR - SMART on FHIR EHR - Revoke Token (Simple)"/>
<status value="active"/>
<date value="2020-12-28"/>
<publisher value="AEGIS.net, Inc."/>
<contact>
<name value="Touchstone Support"/>
<telecom>
<system value="email"/>
<value value="Touchstone_Support@aegis.net"/>
<use value="work"/>
</telecom>
</contact>
<description value="DaVinci DTR - SMART on FHIR EHR Launch - Revoke Token (Simple) Tests - Verifies revocation of access granted to an application when the security token is revoked."/>
<copyright value="This FHIR Test Script is licensed under Creative Commons (CC0) 'No Rights Reserved'. Learn more at https://creativecommons.org/licenses"/>
<fixture id="refresh-token-with-revoked-refresh-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-refresh-token-with-revoked-refresh-token.frm"/>
</resource>
</fixture>
<variable>
<name value="authorizedPatientId"/>
<hint value="[Enter authorized Patient id here]"/>
</variable>
<variable>
<name value="oauth2AuthToken"/>
<hint value="[Copy revoked auth token here]"/>
</variable>
<variable>
<name value="oauth2RefreshToken"/>
<hint value="[Copy revoked refresh token here]"/>
</variable>
<variable>
<name value="tokenEndpoint"/>
<path value=".token_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<test id="01-AccessUnauthorized">
<name value="01 - Patient resource Access Unauthorized"/>
<description value="Verify access to Patient resource returns unauthorized after token revocation."/>
<action>
<operation>
<type>
<system value="http://hl7.org/fhir/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="Patient read where expected response is unauthorized."/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<params value="/${authorizedPatientId}"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2AuthToken}"/>
</requestHeader>
</operation>
</action>
<action>
<assert>
<description value="Confirm that the returned HTTP status is 401(Unauthorized)."/>
<direction value="response"/>
<responseCode value="401"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="02-TokenRefreshFails">
<name value="02 - Token Refresh Fails"/>
<description value="Verify use of revoked refresh token to get new access token fails."/>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="Refresh token exchange fails when supplied revoked Refresh Token"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<sourceId value="refresh-token-with-revoked-refresh-token"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<description value="Refresh token exchange fails when supplied revoked Refresh Token. Response values of 400, 401, or 403 are valid."/>
<operator value="in"/>
<responseCode value="400,401,403"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
</TestScript>