UDAP Security Test Kit
The UDAP Security Test Kit is a collection of tests for the Security for Scalable Registration, Authentication, and Authorization IG.
Status
These tests are a DRAFT intended to allow UDAP implementers to perform preliminary checks of their implementations. Future versions of these tests may validate other requirements and may change how these are tested.
At this time, the test kit only supports testing server conformance to STU 1.0 of the HL7 UDAP IG, specifically requirements from the following sections:
- JSON Web Token (JWT) Requirements
- Discovery
- Dynamic Client Registration
- Consumer-Facing Authorization & Authentication
- Business-to-Business (B2B) Authorization & Authentication
Tiered OAuth for User Authentication is not a required capability and is not assessed.
This test kit also does not assess any client-side requirements.
Certificate Setup for Running Tests
Running UDAP Dynamic Client Registration and Authorization tests requires the use of X.509 certificates that are trusted by the authorization server under test. There are two categories of certificates for this test kit:
- Client certificates: represent the logical instance of a UDAP client interfacing with the authorization server. This test kit supports multiple logical clients, and a new logical client is needed for each instance of testing Dynamic Client Registration.
- Signing certificate: the certificate used to issue and sign the client certificates.
Testers must provide their own client certificate(s) via the test inputs.
In order for tests to pass, register your own signing certificate as a trust anchor with the authorization server under tests.
Reporting Issues
Please report any issues with this set of tests in the GitHub Issues section of the open-source code repository.