| Name | /FHIRSandbox/DaVinci/FHIR4-0-1-Formulary/Formulary-STU1-1-0/00-SMART-on-FHIR/03-Confid-Client-Test/standalone-launch-patient-refresh-exception |
|---|
| Description | SMART on FHIR Stand-Alone Launch with Patient Scope Tests - Refresh Exception - Perform Confidential SMART launch sequence and test OpenID Connect and failure states for token refresh functionality. Select to run this test IF your SMART on FHIR server supports CONFIDENTIAL Client. See other tests in this testset for Public Client testing. |
|---|
| Version | 1 | Latest | 1 |
|---|
<?xml version="1.0" encoding="UTF-8"?>
<TestScript xmlns="http://hl7.org/fhir">
<id value="standalone-launch-patient-refresh-exception"/>
<meta>
<profile value="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript"/>
</meta>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>Standalone Launch with Patient Scope - Refresh Exception</p>
</div>
</text>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-assertStringLiteralContains"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/AssertStringLiteralContains.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-decodeIdToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/DecodeIdToken.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-extractKeyBodyFromJwksAndValidateKid"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/ExtractKeyBodyFromJwksAndValidateKid.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyIdToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyIdTokenAgainstJwks.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyScopes"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyOAuth2Scopes.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyTLS.groovy"/>
</extension>
</extension>
<url value="http://wildfhir.aegis.net/fhir4-0-1/TestScript/standalone-launch-patient"/>
<name value="StandaloneLaunchWithPatientScopeRefreshException"/>
<title value="Standalone Launch with Patient Scope - Refresh Exception"/>
<status value="active"/>
<date value="2021-12-20"/>
<publisher value="AEGIS.net, Inc."/>
<contact>
<name value="Touchstone Support"/>
<telecom>
<system value="email"/>
<value value="Touchstone_Support@aegis.net"/>
<use value="work"/>
</telecom>
</contact>
<description value="SMART on FHIR Stand-Alone Launch with Patient Scope Tests - Refresh Exception - Perform Confidential SMART launch sequence and test OpenID Connect and failure states for token refresh functionality. Select to run this test IF your SMART on FHIR server supports CONFIDENTIAL Client. See other tests in this testset for Public Client testing."/>
<copyright value="This FHIR Test Script is licensed under Creative Commons (CC0) 'No Rights Reserved'. Learn more at https://creativecommons.org/licenses"/>
<fixture id="get-token-bad-code">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-get-token-bad-code.frm"/>
</resource>
</fixture>
<fixture id="get-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-get-token.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-valid-no-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-refresh-token-no-scope.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-valid-with-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-refresh-token-with-scope.frm"/>
</resource>
</fixture>
<fixture id="refresh-token-with-invalid-refresh-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="../_reference/oauth2-refresh-token-with-invalid-refresh-token.frm"/>
</resource>
</fixture>
<variable>
<name value="authorizeEndpoint"/>
<path value=".authorization_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<variable>
<name value="tokenEndpoint"/>
<path value=".token_endpoint"/>
<sourceId value="dest1SmartConfig"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="state"/>
</extension>
<name value="oauth2AuthzRequest1StateParam"/>
<sourceId value="oauth2AuthzRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="redirect_uri"/>
</extension>
<name value="oauth2AuthzRequest1RedirectUri"/>
<sourceId value="oauth2AuthzRequest1"/>
</variable>
<variable>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-variable-paramField">
<valueString value="code"/>
</extension>
<name value="oauth2AuthzRedirect1AuthCode"/>
<sourceId value="oauth2AuthzRedirect1"/>
</variable>
<variable>
<name value="oauth2RequiredScopes"/>
<defaultValue value="launch/patient openid fhirUser offline_access patient/List.read patient/MedicationKnowledge.read"/>
</variable>
<variable>
<name value="oauth2GetTokenResponsePatientId"/>
<path value=".patient"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseAccessToken"/>
<path value=".access_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseRefreshToken"/>
<path value=".refresh_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponseGrantedScopes"/>
<path value=".scope"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2GetTokenResponse1IdToken"/>
<path value=".id_token"/>
<sourceId value="oauth2GetTokenResponse1"/>
</variable>
<variable>
<name value="oauth2RefreshTokenResponsePatientId"/>
<path value=".patient"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
</variable>
<variable>
<name value="oauth2RefreshTokenResponseAccessToken"/>
<path value=".access_token"/>
<sourceId value="oauth2RefreshTokenResponse4"/>
</variable>
<variable>
<name value="jwksUriInOpenIdConfigResponse"/>
<path value=".jwks_uri"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<variable>
<name value="issuerInOpenIdConfigResponse"/>
<path value=".issuer"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<variable>
<name value="signingAlgValuesSupportedInOpenIdConfigResponse"/>
<path value=".id_token_signing_alg_values_supported"/>
<sourceId value="openIdConfigResponse"/>
</variable>
<test id="01-StandaloneLaunchWithPatientScope">
<name value="01 - Standalone Launch With Patient Scope"/>
<description value="Perform Standalone SMART launch sequence and test OpenID Connect and token refresh functionality."/>
<action>
<operation>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-oauth2AuthzRequestId">
<valueId value="oauth2AuthzRequest1"/>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-operation-oauth2AuthzRedirectId">
<valueId value="oauth2AuthzRedirect1"/>
</extension>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-authorize"/>
</type>
<description value="Redirect user to the authorize endpoint for target test system specified in smart configuration"/>
<encodeRequestUrl value="true"/>
<url value="${authorizeEndpoint}?client_id=${dest1SystemConfig.clientId}&scope=${oauth2RequiredScopes}&aud=${dest1SystemConfig.baseUrl}"/>
</operation>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-get-token"/>
</type>
<description value="OAuth token exchange request succeeds when supplied correct information. After obtaining an authorization code, the app trades the code for an access token via HTTP POST to the EHR authorization server’s token endpoint URL, using content-type application/x-www-form-urlencoded"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2GetTokenResponse1"/>
<sourceId value="get-token"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="Patient resource can be retrieved with the right credentials."/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<params value="/${oauth2GetTokenResponsePatientId}"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2GetTokenResponseAccessToken}"/>
</requestHeader>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="Patient resource can be retrieved with the right credentials."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="02-OpenID-Connect">
<name value="02 OpenID Connect"/>
<description value="Use OpenID Connect ID token provided during launch sequence to authenticate user."/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-decodeIdToken"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idToken"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1IdToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponse1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-payload"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header-alg"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-header-kid"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-id-token-payload-iss"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="ID token can be decoded."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="get"/>
</type>
<description value="OpenID Connect well-known configuration can be retrieved. Verify that the OpenId Connect configuration can be retrieved as described in the OpenID Connect Discovery 1.0 documentation"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<responseId value="openIdConfigResponse"/>
<url value="${oauth2GetTokenResponse1-id-token-payload-iss}/.well-known/openid-configuration"/>
</operation>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="get"/>
</type>
<description value="JWKS can be retrieved. Verify that the JWKS can be retrieved from the jwks_uri from the OpenID Connect well-known configuration."/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<responseId value="jwksResponse"/>
<url value="${jwksUriInOpenIdConfigResponse}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-extractKeyBodyFromJwksAndValidateKid"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idTokenHeaderKid"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1-id-token-header-kid}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="oauth2GetTokenResponse1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
</extension>
<extension url="type">
<valueString value="document"/>
</extension>
<extension url="contentType">
<valueString value="json"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="true"/>
</extension>
<description value="Verify that the key used to sign the id token can be identified in the JWKS."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyIdToken"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="idToken"/>
</extension>
<extension url="value">
<valueString value="${oauth2GetTokenResponse1IdToken}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="outputPrefix"/>
</extension>
<extension url="value">
<valueString value="idToken"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-iss"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-sub"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-aud"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-iat"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-exp"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="idToken-fhirUser"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="ID token payload has a valid signature and exp must represent a time in the future. Extract 'iss', 'sub', 'aud', 'iat', and 'fhirUser' claims for further verifications."/>
<sourceId value="oauth2GetTokenResponse1-jwksKeyBodyResponse"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-fhirUser"/>
</extension>
<description value="ID token payload has required 'fhirUser' claim"/>
<operator value="notEmpty"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-variable">
<valueString value="idToken-fhirUser"/>
</extension>
<description value="Verify the 'fhirUser' value has a proper protocol before using it in the subsequent read operation"/>
<operator value="contains"/>
<value value="https"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://terminology.hl7.org/CodeSystem/testscript-operation-codes"/>
<code value="read"/>
</type>
<resource value="Patient"/>
<description value="FHIR resource representing the current user can be retrieved. Verify that the fhirUser claim is present in the ID token and that the FHIR resource it refers to can be retrieved. The fhirUser claim must be the url for a Patient, Practitioner, RelatedPerson, or Person resource"/>
<accept value="json"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="Bearer ${oauth2GetTokenResponseAccessToken}"/>
</requestHeader>
<url value="${idToken-fhirUser}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="FHIR resource representing the current user can be retrieved."/>
<operator value="equals"/>
<responseCode value="200"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="03-Token-Refresh">
<name value="03 Token Refresh"/>
<description value="Use refresh token to get new access token and verify it can access resources."/>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="01: Refresh token exchange fails when supplied invalid Refresh Token"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse3"/>
<sourceId value="refresh-token-with-invalid-refresh-token"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="01: Refresh token exchange fails when supplied invalid Refresh Token"/>
<operator value="in"/>
<responseCode value="400,401,403"/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="oauth2-refresh-token"/>
</type>
<description value="02: Refresh token exchange fails when supplied invalid Client ID"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Authorization"/>
<value value="Basic invalidClientId:${dest1SystemConfig.clientSecret}"/>
</requestHeader>
<responseId value="oauth2RefreshTokenResponse3"/>
<sourceId value="refresh-token-valid-no-scope"/>
<url value="${tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="02: Refresh token exchange fails when supplied invalid Client ID"/>
<operator value="in"/>
<responseCode value="400,401,403"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
</TestScript>