Process of Testing the Client App from UDAP Test Tool
71 views
Skip to first unread message
sandeep wagdargi
Jul 11, 2024, 5:44:55 AMJul 11
to UDAP
Hello All,
We are also trying to do the Client App Tests.
We have been provided the test number 3, 5 and 7 to complete. We are trying to test both client_credentials flow and also JWT based authentication.
below are the things which we are not getting and need more understanding -
1) What are these IP address - Client IP and User IP
1.1) Client IP -
1.1.1) Is it the IP address where our Client Application will be running?
if so then what is the port it should be running with and how the UDAP Test Tool will get to know it is running on this port only and trigger the /.well-known/udap endpoint mentioned in https://www.udap.org/udap-dynamic-client-registration.html point 1.
let suppose our client application is running with x.x.x.x:4200 port and we will be providing only IP in the Client IP field then how UDAP Test Tool will trigger
/.well-known/udap endpoint from our application and how it get to know it is running on port 4200 only.
please provide more clarification here
1.1.2) The Client IP - it is not accepting the private IP address where our application is running on my local.
is that Client IP address should be made public or the application will run on server, that server ip should be made as public.
1.1.2.1)basically what is that IP address we should be providing?
1.1.2.2) is it client application running IP? or the server IP where the application will be running with localhost:4200 ?
please provide more clarification here.
1.2) User IP -
1.2.1) what is the IP address we should provide here?
1.2.2) is it the IP address of our server is running? or
1.2.3) UDAP Test Tool will works as authorization server and validate the server side functionality and we no need to provide the User IP?
Please do the needful as we are trying to do the certification and we are new to this, hoping for the quick response.
Thanks,
We are also trying to do the Client App Tests.
We have been provided the test number 3, 5 and 7 to complete. We are trying to test both client_credentials flow and also JWT based authentication.
below are the things which we are not getting and need more understanding -
1) What are these IP address - Client IP and User IP
1.1) Client IP -
1.1.1) Is it the IP address where our Client Application will be running?
if so then what is the port it should be running with and how the UDAP Test Tool will get to know it is running on this port only and trigger the /.well-known/udap endpoint mentioned in https://www.udap.org/udap-dynamic-client-registration.html point 1.
let suppose our client application is running with x.x.x.x:4200 port and we will be providing only IP in the Client IP field then how UDAP Test Tool will trigger
/.well-known/udap endpoint from our application and how it get to know it is running on port 4200 only.
please provide more clarification here
1.1.2) The Client IP - it is not accepting the private IP address where our application is running on my local.
is that Client IP address should be made public or the application will run on server, that server ip should be made as public.
1.1.2.1)basically what is that IP address we should be providing?
1.1.2.2) is it client application running IP? or the server IP where the application will be running with localhost:4200 ?
please provide more clarification here.
1.2) User IP -
1.2.1) what is the IP address we should provide here?
1.2.2) is it the IP address of our server is running? or
1.2.3) UDAP Test Tool will works as authorization server and validate the server side functionality and we no need to provide the User IP?
Please do the needful as we are trying to do the certification and we are new to this, hoping for the quick response.
Thanks,
Sandeep
UDAP
Jul 11, 2024, 12:03:05 PMJul 11
to UDAP
Hello Sandeep,
You definitely need to be entering public/external IP addresses. The Client IP is the address from which your client connects to the token endpoint. The User IP is the address from which your user session connects to the authorization endpoint. Depending on your deployment model, it may or may not be the same as the client IP.
sandeep wagdargi
Jul 12, 2024, 2:03:50 AMJul 12
to UDAP
Hi,
Thank you for the quick response.
still we are not clear about point 1.1.1, Can you please elaborate a bit here how that trigger happens from UDAP Test Tool to our application that our client application will call the
/.well-known/udap endpoint. Anything needs to configure here, on click of start, how
/.well-known/udap endpoint call goes out from our client application that linking we are not getting and similar the authorization endpoint call as well. Any port defaulting we need to do when we running our client application?
Please provide more clarity on this.
Thanks,
Sandeep
UDAP
Jul 15, 2024, 11:12:20 AMJul 15
to UDAP
Hello Sandeep,
How you launch your client application after starting the test is up to you.
If you are doing a client test, it's your responsibility to perform the client role--including calling the /.well-known/udap endpoint for a server. You do so after clicking the "Start" button to run the test. There is no additional configuration beyond the parameters the tool needs to know and the instructions written on the page.
The source port from which you connect does not matter. You only need to enter the source IP address in the form, without the port.
Thank you,
The UDAP Team
sandeep wagdargi
Aug 7, 2024, 8:51:54 AMAug 7
to UDAP
Hi Team,
Thank you for the quick response, We understood the above part.
Now we are trying to implement the functionality and got these doubts, please clarify.
1. Test 3: Trusted dynamic client registration
After clicking Start, the client application retrieves metadata from the following FHIR server and performs UDAP Trusted Dynamic Client registration at its registration endpoint by submitting a software statement signed with the private key corresponding to the app's UDAP test certificate.
FHIR Base URL: https://test.udap.org/fhir/r4/stage
As per this above test case, we tried to retrieve the metadata with the well-known endpoint like
https://test.udap.org/fhir/r4/stage/.well-known/udap
and we see response containing only below data:
{
"authorization_endpoint": "https://test.udap.org/oauth/stage/authz",
"token_endpoint": "https://test.udap.org/oauth/stage/token",
"registration_endpoint": "https://test.udap.org/oauth/stage/register"
}
and but when we see the server metadata and Supported metadata elements (community may include)
for reference: https://www.udap.org/udap-server-metadata.html
we found that below fields are missing,
x5c
udap_versions_supported
udap_profiles_supported
udap_certifications_supported
udap_certifications_required
udap_authorization_extensions_supported
udap_authorization_extensions_required
grant_types_supported
scopes_supported
signed_endpoints - (If the server includes an authorization endpoint, token endpoint, or registration endpoint element its metadata,
then it SHOULD also include the signed_endpoints element as a signed JWT containing the following claims: iss, sub, exp, iat, jti, authorization_endpoint, token_endpoint, registration_endpoint)
token_endpoint_auth_methods_supported
token_endpoint_auth_signing_alg_values_supported
registration_endpoint_jwt_signing_alg_values_supported
So, our question here is -
1. Are we retrieving the proper well-known endpoint / is there any other endpoint hosted that provides the above details so to do the client side validation before making request to authorization, token or registration endpoint?
We understand that the server has the capability to define the optionality of the elements by not specifying but there are few fields which we may need, to proceed with the functionality and some are kind of mandatory like
udap_profiles_supported
grant_types_supported
scopes_supported
signed_endpoints
token_endpoint_auth_methods_supported
token_endpoint_auth_signing_alg_values_supported
registration_endpoint_jwt_signing_alg_values_supported
2. Test 5: Client Authentication using client_secret (authorization code flow)
After clicking Start, the client application redirects the user's agent to the authorization endpoint for the following FHIR server using the client_id obtained during manual registration, then exchanges the authorization code for an access token using the client_secret obtained during manual registration. Note: This test covers only basic OAuth 2.0 functionality for authorization code flow for apps that do not yet support UDAP Dynamic Client Registration or UDAP JWT-Based Client Authentication. If you do not already have a client_id and client_secret, click here to manually register your app.
FHIR Base URL: https://test.udap.org/fhir/r4/stage
Sign In Username: udapuser
Sign In Password: udapudap
Does this implementation requires for us as we are trying to support UDAP Dynamic Client Registration or UDAP JWT-Based Client Authentication?
Kindly provide the clarifications for the above mentioned queries.
Thank you,
Sandheep
Thank you for the quick response, We understood the above part.
Now we are trying to implement the functionality and got these doubts, please clarify.
1. Test 3: Trusted dynamic client registration
After clicking Start, the client application retrieves metadata from the following FHIR server and performs UDAP Trusted Dynamic Client registration at its registration endpoint by submitting a software statement signed with the private key corresponding to the app's UDAP test certificate.
FHIR Base URL: https://test.udap.org/fhir/r4/stage
As per this above test case, we tried to retrieve the metadata with the well-known endpoint like
https://test.udap.org/fhir/r4/stage/.well-known/udap
and we see response containing only below data:
{
"authorization_endpoint": "https://test.udap.org/oauth/stage/authz",
"token_endpoint": "https://test.udap.org/oauth/stage/token",
"registration_endpoint": "https://test.udap.org/oauth/stage/register"
}
and but when we see the server metadata and Supported metadata elements (community may include)
for reference: https://www.udap.org/udap-server-metadata.html
we found that below fields are missing,
x5c
udap_versions_supported
udap_profiles_supported
udap_certifications_supported
udap_certifications_required
udap_authorization_extensions_supported
udap_authorization_extensions_required
grant_types_supported
scopes_supported
signed_endpoints - (If the server includes an authorization endpoint, token endpoint, or registration endpoint element its metadata,
then it SHOULD also include the signed_endpoints element as a signed JWT containing the following claims: iss, sub, exp, iat, jti, authorization_endpoint, token_endpoint, registration_endpoint)
token_endpoint_auth_methods_supported
token_endpoint_auth_signing_alg_values_supported
registration_endpoint_jwt_signing_alg_values_supported
So, our question here is -
1. Are we retrieving the proper well-known endpoint / is there any other endpoint hosted that provides the above details so to do the client side validation before making request to authorization, token or registration endpoint?
We understand that the server has the capability to define the optionality of the elements by not specifying but there are few fields which we may need, to proceed with the functionality and some are kind of mandatory like
udap_profiles_supported
grant_types_supported
scopes_supported
signed_endpoints
token_endpoint_auth_methods_supported
token_endpoint_auth_signing_alg_values_supported
registration_endpoint_jwt_signing_alg_values_supported
2. Test 5: Client Authentication using client_secret (authorization code flow)
After clicking Start, the client application redirects the user's agent to the authorization endpoint for the following FHIR server using the client_id obtained during manual registration, then exchanges the authorization code for an access token using the client_secret obtained during manual registration. Note: This test covers only basic OAuth 2.0 functionality for authorization code flow for apps that do not yet support UDAP Dynamic Client Registration or UDAP JWT-Based Client Authentication. If you do not already have a client_id and client_secret, click here to manually register your app.
FHIR Base URL: https://test.udap.org/fhir/r4/stage
Sign In Username: udapuser
Sign In Password: udapudap
Does this implementation requires for us as we are trying to support UDAP Dynamic Client Registration or UDAP JWT-Based Client Authentication?
Kindly provide the clarifications for the above mentioned queries.
Thank you,
Sandheep
Julie Maas
Aug 7, 2024, 12:58:39 PMAug 7
to UDAP
1. Please let us know which elements you are interpreting as mandatory, as the test tool is deemed compliant with the UDAP Server Metadata SHALL requirements as of this time.
2. Correct - if you are only supporting trusted workflows Test 5 would not be relevant, though if you are completing an accreditation program that relies on this test being completed as a prerequisite to the more advanced tests, you may need to manually register your app with the test tool to test client secret nonetheless.
Reply all
Reply to author
Forward
0 new messages