Clarification requested for 9.23 fine-grained scopes baseline when Single Patient API uses additional_patient_ids

[vs1785]

I’m looking for clarification on how 9.23 SMART App Launch with fine-grained scopes is intended to be executed when 10 Single Patient API (US Core 6.1.0) is run with multiple patients.

Read-only test run:
https://inferno.healthit.gov/suites/g10_certification/8HsUwWP6RzC/#9.23.1/view

What I ran:

• I ran the full suite through 10 Single Patient API (US Core 6.1.0).
• For 10, I used:
  • 1 launch patient
  • 3 additional_patient_ids
• 10 Single Patient API (US Core 6.1.0) completed successfully.
• My understanding from the suite wiring is that 10 uses the generic smart_auth_info exported by the earlier EHR Practitioner App, so the baseline run is using user/*.rs scope.
• Later, 9.23.1 Granular Scopes 1 performs a standalone launch with patient-level granular scopes.

Observed behavior:

• 9.23.1 appears to reuse baseline requests generated during 10.
• Those saved requests include requests for all 4 patients from the earlier Single Patient API run.
• During 9.23.1, Inferno then replays requests involving all 4 patients while using a patient-scoped granular token, which leads to failures.

Questions:

1. Is 9.23 intended to be run only after a prerequisite Single Patient API baseline that uses a single patient and no additional_patient_ids?
2. If Single Patient API is run with multiple patients to satisfy MUST SUPPORT coverage, what is the expected way to make 9.23 pass?
3. Is the expected workflow to use a separate Inferno session for 9.23, rerun the prerequisite Single Patient API with only the launch patient, and then run 9.23?
4. For 9.3 Token Revocation, there was no prompt in the test flow telling me to revoke the token during execution. Is the expectation that the tester manually revokes the token outside Inferno before submitting the 9.3 inputs?
5. For ONC certification, is it expected that the entire g10 test kit passes in one continuous run, or is it acceptable to use separate runs/sessions for scenarios in section 9 that require different setup?

Thanks.

[karlnaden]

The short answer is that you should update the requested granular scopes to be user-level, matching the level used during the single-patient API tests.

Specific answers to your questions follow - let us know if you need any additional clarifications.

1. Is 9.23 intended to be run only after a prerequisite Single Patient API baseline that uses a single patient and no additional_patient_ids?

No, it is not required that only a single patient be used.

2. If Single Patient API is run with multiple patients to satisfy MUST SUPPORT coverage, what is the expected way to make 9.23 pass?

Update the scopes requested during the granular scopes tests to be user-level granular scopes like those used during the single-patient API tests

3. Is the expected workflow to use a separate Inferno session for 9.23, rerun the prerequisite Single Patient API with only the launch patient, and then run 9.23?

No, you should update the requested granular scopes to be user-level so that the tests have access to all of the patients like they did in the single-patient API tests

4. For 9.3 Token Revocation, there was no prompt in the test flow telling me to revoke the token during execution. Is the expectation that the tester manually revokes the token outside Inferno before submitting the 9.3 inputs?

Yes, that is the expectation: run some other tests that involve issuing an access token, revoke the token, then run the revocation group making sure that the revoked token is listed in the “Revoked Bearer Token > Access Token” input.

5. For ONC certification, is it expected that the entire g10 test kit passes in one continuous run, or is it acceptable to use separate runs/sessions for scenarios in section 9 that require different setup?

You are expected to demonstrate the ability to pass all of the tests within one session. You are not expected to complete the whole suite in one run on that session. The testing lab that you work with on your certification should be able to provide you details on the exact process and expectations.