onc-certification-g10-test-kit icon indicating copy to clipboard operation
onc-certification-g10-test-kit copied to clipboard

Published 20 hours ago verified publisher icon onc-healthit

For token revocation testing - allow the tester to select which access token they are testing

Open cooperthompson opened this issue 2 years ago • 1 comments

When doing g10 testing, there are two tokens issues to patient apps:

  1. From the Standalone Patient App step (step #1)
  2. From the Limited Access App (step #2)

Later, when demonstrating token revocation (step 9.3), Inferno assumes and pre-populates the token from step 1. However, systems may have revoked that token already when issuing the limited access app token (from what I can tell, auth servers are not prohibited from revoking access tokens if a subsequent auth code flow issues a more restricted token).

It would be useful if Inferno let the user select which of the two access tokens should be used when performing the revocation test.

There is a workaround, where the user can just re-run step 1 to stage the token for revocation testing, but that is a little awkward in the overall testing flow.

cooperthompson avatar Jan 24 '23 19:01 cooperthompson

We agree that this could be improved and are considering various options.

Jammjammjamm avatar Jan 25 '23 18:01 Jammjammjamm