Fix asymmetric invalid refresh token test (#741)

Author: abhinandan2012

lib/onc_certification_g10_test_kit/smart_invalid_token_refresh_test.rb

@@ -1,4 +1,6 @@
 module ONCCertificationG10TestKit
+  require 'smart_app_launch/client_assertion_builder'
+
   class SMARTInvalidTokenRefreshTest < Inferno::Test
     id :g10_invalid_token_refresh
     title 'Refresh token exchange fails when supplied an invalid refresh token'
@@ -26,6 +28,17 @@ class SMARTInvalidTokenRefreshTest < Inferno::Test
       if smart_auth_info.symmetric_auth?
         credentials = Base64.strict_encode64("#{smart_auth_info.client_id}:#{smart_auth_info.client_secret}")
         oauth2_headers['Authorization'] = "Basic #{credentials}"
+      elsif smart_auth_info.asymmetric_auth?
+        oauth2_params.merge!(
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+          client_assertion: SMARTAppLaunch::ClientAssertionBuilder.build(
+            iss: smart_auth_info.client_id,
+            sub: smart_auth_info.client_id,
+            aud: smart_auth_info.token_url,
+            client_auth_encryption_method: smart_auth_info.encryption_algorithm,
+            custom_jwks: smart_auth_info.jwks
+          )
+        )
       else
         oauth2_params['client_id'] = smart_auth_info.client_id
       end

spec/onc_certification_g10_test_kit/smart_invalid_token_refresh_test_spec.rb

@@ -40,6 +40,46 @@
     expect(result.result).to eq('pass')
   end
 
+  context 'with asymmetric authentication' do
+    let(:default_inputs) do
+      {
+        smart_auth_info: Inferno::DSL::AuthInfo.new(
+          token_url: 'http://example.com/token',
+          client_id: 'CLIENT_ID',
+          client_secret: 'CLIENT_SECRET',
+          refresh_token: 'REFRESH_TOKEN',
+          auth_type: 'asymmetric',
+          jwks: 'JWKS',
+          encryption_algorithm: 'ES384'
+        ),
+        received_scopes: 'offline_access'
+      }
+    end
+
+    it 'uses a client assertion' do
+      stub_request(:post, default_inputs[:smart_auth_info].token_url)
+        .with do |request|
+          params = URI.decode_www_form(request.body).to_h
+          params['client_assertion'] == 'CLIENT_ASSERTION' &&
+            params['client_assertion_type'] == 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        end
+        .to_return(status: 400)
+
+      allow(SMARTAppLaunch::ClientAssertionBuilder).to receive(:build).and_return('CLIENT_ASSERTION')
+
+      result = run(test, default_inputs)
+
+      expect(result.result).to eq('pass')
+      expect(SMARTAppLaunch::ClientAssertionBuilder).to have_received(:build).with(
+        iss: 'CLIENT_ID',
+        sub: 'CLIENT_ID',
+        aud: 'http://example.com/token',
+        client_auth_encryption_method: 'ES384',
+        custom_jwks: 'JWKS'
+      )
+    end
+  end
+
   it 'passes if the token request returns a 401' do
     stub_request(:post, default_inputs[:smart_auth_info].token_url)
       .to_return(status: 401)