| Name | /FHIRSandbox/DaVinci/FHIR4-0-1-Formulary/Formulary-STU1-1-0/00-SMART-on-FHIR/03-Confid-Client-Test/standalone-launch-patient |
|---|
| Description | SMART on FHIR Stand-Alone Launch with Patient Scope Tests - Perform Confidential SMART launch sequence and test OpenID Connect and token refresh functionality. Select to run this test IF your SMART on FHIR server supports CONFIDENTIAL Client. See other tests in this testset for Public Client testing. |
|---|
| Version | 1 | Latest | 1 |
|---|
<?xml version="1.0" encoding="UTF-8"?>
<TestScript xmlns="http://hl7.org/fhir">
<id value="standalone-launch-patient"/>
<meta>
<profile value="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript"/>
</meta>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>Standalone Launch with Patient Scope</p>
</div>
</text>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-assertStringLiteralContains"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/AssertStringLiteralContains.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-decodeIdToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/DecodeIdToken.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-extractKeyBodyFromJwksAndValidateKid"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/ExtractKeyBodyFromJwksAndValidateKid.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyIdToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyIdTokenAgainstJwks.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyOAuth2Scopes.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyTLS.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-ReplaceNullVariable"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/ReplaceNullVariable.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-GetVariable-JsonPath"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/GetVariable-JsonPath.groovy"/>
</extension>
</extension>
<url value="http://wildfhir.aegis.net/fhir4-0-1/TestScript/standalone-launch-patient"/>
<name value="StandaloneLaunchWithPatientScope"/>
<title value="Standalone Launch with Patient Scope"/>
<status value="active"/>
<date value="2021-12-17"/>
<publisher value="AEGIS.net, Inc."/>
<contact>
<name value="Touchstone Support"/>
<telecom>
<system value="email"/>
<value value="Touchstone_Support@aegis.net"/>
<use value="work"/>
</telecom>
</contact>
<description value="SMART on FHIR Stand-Alone Launch with Patient Scope Tests - Perform Confidential SMART launch sequence and test OpenID Connect and token refresh functionality. Select to run this test IF your SMART on FHIR server supports CONFIDENTIAL Client. See other tests in this testset for Public Client testing."/>
<copyright value="This FHIR Test Script is licensed under Creative Commons (CC0) 'No Rights Reserved'. Learn more at https://creativecommons.org/licenses"/>
<fixture id="get-token-bad-code">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-get-token-bad-code.frm"/>
</resource>
</fixture>
<fixture id="get-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-get-token.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-valid-no-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-refresh-token-no-scope.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-valid-with-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-refresh-token-with-scope.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-with-invalid-refresh-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-refresh-token-with-invalid-refresh-token.frm"/>
</resource>
</fixture>
<fixture id="static-variables">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/static-variables.json"/>
</resource>
</fixture>
<variable>
<name value="authorizeEndpoint"/>
<path value=".authorization_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<variable>
<name value="tokenEndpoint"/>
<path value=".token_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="state"/>
</extension>
<name value="oauth2AuthzRequest1StateParam"/>
<sourceId value="oauth2AuthzRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="redirect_uri"/>
</extension>
<name value="oauth2AuthzRequest1RedirectUri"/>
<sourceId value="oauth2AuthzRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="code"/>
</extension>
<name value="oauth2AuthzRedirect1AuthCode"/>
<sourceId value="oauth2AuthzRedirect1"/>
</variable>
<variable>
<name value="oauth2Scopes"/>
<defaultValue value="launch/patient openid fhirUser offline_access patient/List.read patient/MedicationKnowledge.read"/>
</variable>
<variable>
<name value="oauth2GetTokenResponsePatientId"/>
<path value=".patient"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseAccessToken"/>
<path value=".access_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseRefreshToken"/>
<path value=".refresh_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseGrantedScopes"/>
<path value=".scope"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponse1IdToken"/>
<path value=".id_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2RefreshTokenResponsePatientId"/>
<path value=".patient"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
</variable>
<variable>
<name value="oauth2RefreshTokenResponseAccessToken"/>
<path value=".access_token"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
</variable>
<variable>
<name value="jwksUriInOpenIdConfigResponse"/>
<path value=".jwks_uri"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<variable>
<name value="issuerInOpenIdConfigResponse"/>
<path value=".issuer"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<variable>
<name value="signingAlgValuesSupportedInOpenIdConfigResponse"/>
<path value=".id_token_signing_alg_values_supported"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<test id="01-StandaloneLaunchWithPatientScope">
<name value="01 - Standalone Launch With Patient Scope"/>
<description value="Perform Standalone SMART launch sequence and test OpenID Connect and token refresh functionality."/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="authorizeEndpoint"/>
</extension>
<description value="Verify that OAuth2 Authorize endpoint has been defined in Smart configuration before using it in next operation"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointName"/>
</extension>
<extension url="value">
<valueString value="OAuth2 Authorize Endpoint"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointURL"/>
</extension>
<extension url="value">
<valueString value="${authorizeEndpoint}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth 2.0 authorize endpoint secured by transport layer security. Apps MUST assure that sensitive information (authentication secrets, authorization codes, tokens) is transmitted ONLY to authenticated servers, over TLS-secured channels."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-oauth2AuthzRequestId">
<valueId value="oauth2AuthzRequest1"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-oauth2AuthzRedirectId">
<valueId value="oauth2AuthzRedirect1"/>
</extension>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-authorize"/>
</type>
<description value="Redirect user to the authorize endpoint for target test system specified in smart configuration"/>
<encodeRequestUrl value="true"/>
<url value="${authorizeEndpoint}?client_id=${dest1SystemConfig.clientId}&scope=${oauth2Scopes}&aud=${dest1SystemConfig.baseUrl}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth server redirects client browser to app redirect URI. Client browser redirected from OAuth server to redirect URI of client app as described in SMART authorization sequence."/>
<direction value="request"/>
<operator value="contains"/>
<requestURL value="/oauth2/authcode/redirect"/>
<sourceId value="oauth2AuthzRedirect1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Client app receives code parameter. Code and state are required querystring parameters."/>
<operator value="notEmpty"/>
<requestURL value="queryParam: ?code"/>
<sourceId value="oauth2AuthzRedirect1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Touchstone Client app receives correct state parameter from OAuth server at redirect URI. State must be the exact value received from the client."/>
<operator value="equals"/>
<requestURL value="queryParam: ?state=${oauth2AuthzRequest1StateParam}"/>
<sourceId value="oauth2AuthzRedirect1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="tokenEndpoint"/>
</extension>
<description value="Verify that OAuth2 Token endpoint has been defined in Smart configuration before using it in next operation"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointName"/>
</extension>
<extension url="value">
<valueString value="OAuth2 Token Endpoint"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointURL"/>
</extension>
<extension url="value">
<valueString value="${tokenEndpoint}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange endpoint secured by transport layer security."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-get-token"/>
</type>
<description value="OAuth token exchange request succeeds when supplied correct information. After obtaining an authorization code, the app trades the code for an access token via HTTP POST to the EHR authorization server’s token endpoint URL, using content-type application/x-www-form-urlencoded"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2GetTokenResponse1"/>
<sourceId value="get-token"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange request succeeds when supplied correct information"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response body contains access_token."/>
<operator value="notEmpty"/>
<path value=".access_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response body contains scope."/>
<operator value="notEmpty"/>
<path value=".scope"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response body contains token_type value of Bearer."/>
<operator value="in"/>
<path value=".token_type"/>
<sourceId value="oauth2GetTokenResponse1"/>
<value value="Bearer,bearer"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response body contains expires_in which is required for token refreshes."/>
<operator value="notEmpty"/>
<path value=".expires_in"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2Scopes}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<description value="OAuth token exchange response body contains required information encoded in JSON. The EHR authorization server shall return a JSON structure that includes an access token or a message indicating that the authorization request has been denied. access_token, token_type, and scope are required. token_type must be Bearer. expires_in is required for token refreshes."/>
<warningOnly value="true"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response includes correct HTTP Cache-Control header. The authorization servers response must include the HTTP Cache-Control response header field with a value of no-store."/>
<headerField value="Cache-Control"/>
<operator value="equals"/>
<sourceId value="oauth2GetTokenResponse1"/>
<value value="no-store"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response includes correct HTTP Pragma header. The authorization servers response must include the HTTP Pragma response header field with a value of no-cache."/>
<headerField value="Pragma"/>
<operator value="equals"/>
<sourceId value="oauth2GetTokenResponse1"/>
<value value="no-cache"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="openId"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect scopes used. The scopes being input must follow the guidelines specified in the smart-app-launch guide. All scopes requested are expected to be granted."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="fhirUser"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect scopes used. The scopes being input must follow the guidelines specified in the smart-app-launch guide. All scopes requested are expected to be granted."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="expectedScopes"/>
</extension>
<extension url="value">
<valueString value="launch/patient"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="grantedScopes"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseGrantedScopes}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Patient-level access scopes used. The scopes being input must follow the guidelines specified in the smart-app-launch guide. All scopes requested are expected to be granted."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth token exchange response body contains patient context"/>
<operator value="notEmpty"/>
<path value=".patient"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="Patient resource can be retrieved with the right credentials."/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<params value="/${oauth2GetTokenResponsePatientId}"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2GetTokenResponseAccessToken}"/>
</requestHeader>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Patient resource can be retrieved with the right credentials."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="02-OpenID-Connect">
<name value="02 OpenID Connect"/>
<description value="Use OpenID Connect ID token provided during launch sequence to authenticate user."/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-decodeIdToken"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idToken"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1IdToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponse1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-payload"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header-alg"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header-kid"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-payload-iss"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="ID token can be decoded."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="oauth2GetTokenResponse1-id-token-payload-iss"/>
</extension>
<description value="Verify that id_token has iss claim before using it to retrieve open-id configuration in the next operation."/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="get"/>
</type>
<description value="OpenID Connect well-known configuration can be retrieved. Verify that the OpenId Connect configuration can be retrieved as described in the OpenID Connect Discovery 1.0 documentation"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<responseId value="openIdConfigResponse"/>
<url value="${oauth2GetTokenResponse1-id-token-payload-iss}/.well-known/openid-configuration"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="OpenID Connect well-known configuration can be retrieved. Verify that the OpenId Connect configuration can be retrieved as described in the OpenID Connect Discovery 1.0 documentation"/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'issuer'"/>
<operator value="notEmpty"/>
<path value=".issuer"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'authorization_endpoint'"/>
<operator value="notEmpty"/>
<path value=".authorization_endpoint"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'token_endpoint'"/>
<operator value="notEmpty"/>
<path value=".token_endpoint"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'jwks_uri'"/>
<operator value="notEmpty"/>
<path value=".jwks_uri"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'response_types_supported'"/>
<operator value="notEmpty"/>
<path value=".response_types_supported"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'subject_types_supported'"/>
<operator value="notEmpty"/>
<path value=".subject_types_supported"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OpenID Connect well-known configuration contains the required field 'id_token_signing_alg_values_supported'"/>
<operator value="notEmpty"/>
<path value=".id_token_signing_alg_values_supported"/>
<sourceId value="openIdConfigResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="get"/>
</type>
<description value="JWKS can be retrieved. Verify that the JWKS can be retrieved from the jwks_uri from the OpenID Connect well-known configuration."/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<responseId value="jwksResponse"/>
<url value="${jwksUriInOpenIdConfigResponse}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="JWKS can be retrieved. Verify that the JWKS can be retrieved from the jwks_uri from the OpenID Connect well-known configuration."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-extractKeyBodyFromJwksAndValidateKid"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idTokenHeaderKid"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1-id-token-header-kid}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponse1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="Verify that the key used to sign the id token can be identified in the JWKS."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify that the id token is signed using RSA SHA-256 as required by the SMART app launch framework. This rule verifies that .alg in oauth2GetTokenResponse1-jwksKeyBodyResponse is RS256."/>
<operator value="equals"/>
<path value=".alg"/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<value value="RS256"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Verify that the id token is signed using RSA SHA-256 as required by the SMART app launch framework. This rule verifies that .alg in oauth2GetTokenResponse1-jwksKeyBodyResponse is RS256."/>
<operator value="equals"/>
<path value=".alg"/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<value value="${oauth2GetTokenResponse1-id-token-header-alg}"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyIdToken"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idToken"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1IdToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="idToken"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-iss"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-sub"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-aud"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-iat"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-exp"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-fhirUser"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token payload has a valid signature and exp must represent a time in the future. Extract 'iss', 'sub', 'aud', 'iat', and 'fhirUser' claims for further verifications."/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-iss"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token payload has required 'iss' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-sub"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token payload has required 'sub' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-aud"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token payload has required 'aud' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-iat"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token payload has required 'iat' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-iss"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token 'iss' claim must match the issuer from the OpenID Connect well-known configuration"/>
<operator value="equals"/>
<value value="${issuerInOpenIdConfigResponse}"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-aud"/>
</extension>
<description value="ID token 'aud' claim must match the clientId of the destination test system"/>
<operator value="equals"/>
<value value="${dest1SystemConfig.clientId}"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-fhirUser"/>
</extension>
<description value="ID token payload has required 'fhirUser' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-fhirUser"/>
</extension>
<description value="Verify the 'fhirUser' value has a proper protocol before using it in the subsequent read operation"/>
<operator value="contains"/>
<value value="https"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="FHIR resource representing the current user can be retrieved. Verify that the fhirUser claim is present in the ID token and that the FHIR resource it refers to can be retrieved. The fhirUser claim must be the url for a Patient, Practitioner, RelatedPerson, or Person resource"/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2GetTokenResponseAccessToken}"/>
</requestHeader>
<url value="${idToken-fhirUser}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="FHIR resource representing the current user can be retrieved."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="03-Token-Refresh">
<name value="03 Token Refresh"/>
<description value="Use refresh token to get new access token and verify it can access resources."/>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="Refresh token exchange succeeds when optional scope parameter omitted"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse3"/>
<sourceId value="refresh-token-valid-no-scope"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Refresh token exchange succeeds when optional scope parameter omitted"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-GetVariable-JsonPath"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="jsonPath"/>
</extension>
<extension url="value">
<valueString value=".refresh_token"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputName"/>
</extension>
<extension url="value">
<valueString value="oauth2RefreshTokenResponseRefreshToken"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2RefreshTokenResponseRefreshToken"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Rule to gather the new refresh token if assigned or use the old refresh token if still valid part 1."/>
<sourceId value="oauth2RefreshTokenResponse3"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-ReplaceNullVariable"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="trueValue"/>
</extension>
<extension url="value">
<valueString value="${oauth2RefreshTokenResponseRefreshToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="defaultValue"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponseRefreshToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputName"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponseRefreshToken-resolved"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponseRefreshToken-resolved"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Rule to gather the new refresh token if assigned or use the old refresh token if still valid part 2."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="Refresh token exchange succeeds when optional scope parameter provided"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse4"/>
<sourceId value="refresh-token-valid-with-scope"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Refresh token exchange succeeds when optional scope parameter provided"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth refresh token exchange response body contains patient context"/>
<operator value="notEmpty"/>
<path value=".patient"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="OAuth refresh token exchange response body contains patient context and patient resource can be retrieve with the right credentials"/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<params value="/${oauth2GetTokenResponsePatientId}"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2RefreshTokenResponseAccessToken}"/>
</requestHeader>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="OAuth refresh token exchange response body contains patient context and patient resource can be retrieve with the right credentials"/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
</TestScript>