Advanced Testing

azuma mimoto provides advanced testing capabilities for the gematik IDP, including:

User selection
Scope selection (essentially allowing to test scope decline cases)
Health-ID override
...

Advanced testing capabilities are currently available on the TU and RU environments for the Web-Flow and can be used via API.

Web-Flow: Enable advanced testing

To enabled advanced testing, the following query parameter needs to be included in the initial auth call: gematik_show_testing_ui=true

The auth URL should look like this:

https://mimoto-test.pie.azuma-health.tech/connect/auth
    ?client_id=*your application id*
    &redirect_uri=*your redirect url*
    &response_type=code
    &scope=*your requested scopes*
    &state=*your state*
    &code_challenge=*your code challenge*
    &code_challenge_method=S256
    &response_mode=query
    &gematik_show_testing_ui=true

Hint

You can navigate to https://mimoto-react-examples.azuma-health.tech/oidc-live and use the button: Login in (With testing UI).

Web-Flow: Advanced testing UI

Once enabled, the idp selection page will include the following block:

Parameters

Login User: The user, which should be logged in, can be selected here. The list contains pre-defined users that are available in the gematik IDP.
Selected Scopes: Scopes, that should be declined, can be deselected here. E.g.: if email should not be returned in the ID token, the scope urn:telematik:email should be deselected.
Scope Decline Mode:
- Remove claims (RemoveClaims): Claims, that belong to declined scopes, will be completely removed from ID token.
- Add empty claims (AddEmptyClaims): Claims, that belong to declined scopes, will be added with empty value to ID token.
Granted Scope Mode: Specifies, how the scope claim of the Access Token is populated
- Include all requested scopes (IncludeAllRequested): All the initially requested scopes are added to the scope claim
- Only include selected scopes (IncludeOnlySelected): Only the scopes selected above are included in the scope claim
Override Health-ID: This can be used to override the health ID to the provided value.

Using the API

In testing scenarios, it might be reasonable to start the auth call via API while providing certain test parameters. The mentioned testing parameters above can be provided in the auth call as follows:

Login User (once): gematik_login_user
Selected Scopes (per selected scope): gematik_selected_scopes
Scope Decline Mode (once): gematik_scope_decline_mode with values RemoveClaims or AddEmptyClaims
Override Health-ID (once): gematik_override_health_id

The overall request should look like this:

https://mimoto-test.pie.azuma-health.tech/connect/auth
    ?client_id=*your application id*
    &redirect_uri=*your redirect url*
    &response_type=code
    &scope=*your requested scopes*
    &state=*your state*
    &code_challenge=*your code challenge*
    &code_challenge_method=S256
    &response_mode=query
    &gematik_enable_testing=true
    &provider=https://gsi.dev.gematik.solutions
    &gematik_login_user=*value*
    &gematik_selected_scopes=*value*
    &gematik_selected_scopes=*value*
    &gematik_scope_decline_mode=*value*
    &gematik_override_health_id=*value*
    &gematik_granted_scope_mode=*value*

Example 1

Login User 'C420797644' and accept only scope urn:telematik:email while requesting all available scopes. This would remove claims from all other scopes from the ID token.

https://mimoto-test.pie.azuma-health.tech/connect/auth
    ?client_id=*your application id*
    &redirect_uri=*your redirect url*
    &response_type=code
    &scope=urn:telematik:alter urn:telematik:display_name urn:telematik:email urn:telematik:geschlecht urn:telematik:geburtsdatum urn:telematik:given_name urn:telematik:versicherter openid
    &state=*your state*
    &code_challenge=*your code challenge*
    &code_challenge_method=S256
    &response_mode=query
    &gematik_enable_testing=true
    &provider=https://gsi.dev.gematik.solutions
    &gematik_enable_testing=true
    &gematik_login_user=C420797644
    &gematik_scope_decline_mode=RemoveClaims
    &gematik_selected_scopes=openid
    &gematik_selected_scopes=urn:telematik:email

Example 2

Login User 'C420797644' and accept only scope urn:telematik:versicherter while requesting all available scopes. This would add claims from all other scopes with empty value in ID token.

https://mimoto-test.pie.azuma-health.tech/connect/auth
    ?client_id=*your application id*
    &redirect_uri=*your redirect url*
    &response_type=code
    &scope=urn:telematik:alter urn:telematik:display_name urn:telematik:email urn:telematik:geschlecht urn:telematik:geburtsdatum urn:telematik:given_name urn:telematik:versicherter openid
    &state=*your state*
    &code_challenge=*your code challenge*
    &code_challenge_method=S256
    &response_mode=query
    &gematik_enable_testing=true
    &provider=https://gsi.dev.gematik.solutions
    &gematik_enable_testing=true
    &gematik_login_user=C420797644
    &gematik_scope_decline_mode=AddEmptyClaims
    &gematik_selected_scopes=openid
    &gematik_selected_scopes=urn:telematik:versicherter

Example 3

Login User 'C420797644' and accept scopes urn:telematik:email and urn:telematik:versicherter while requesting all available scopes. Override Health-ID with value "ABC-Test-1".

https://mimoto-test.pie.azuma-health.tech/connect/auth
    ?client_id=*your application id*
    &redirect_uri=*your redirect url*
    &response_type=code
    &scope=urn:telematik:alter urn:telematik:display_name urn:telematik:email urn:telematik:geschlecht urn:telematik:geburtsdatum urn:telematik:given_name urn:telematik:versicherter openid
    &state=*your state*
    &code_challenge=*your code challenge*
    &code_challenge_method=S256
    &response_mode=query
    &gematik_enable_testing=true
    &provider=https://gsi.dev.gematik.solutions
    &gematik_login_user=C420797644
    &gematik_selected_scopes=openid
    &gematik_selected_scopes=urn:telematik:email
    &gematik_selected_scopes=urn:telematik:versicherter
    &gematik_scope_decline_mode=RemoveClaims
    &gematik_override_health_id=ABC-Test-1

Example 4

Login User 'C420797644' and accept scopes urn:telematik:email and urn:telematik:versicherter while requesting all available scopes. Also define that the scopes in Access Token should be adjusted to only include the requested scopes.

https://mimoto-test.pie.azuma-health.tech/connect/auth
    ?client_id=*your application id*
    &redirect_uri=*your redirect url*
    &response_type=code
    &scope=urn:telematik:alter urn:telematik:display_name urn:telematik:email urn:telematik:geschlecht urn:telematik:geburtsdatum urn:telematik:given_name urn:telematik:versicherter openid
    &state=*your state*
    &code_challenge=*your code challenge*
    &code_challenge_method=S256
    &response_mode=query
    &gematik_enable_testing=true
    &provider=https://gsi.dev.gematik.solutions
    &gematik_login_user=C420797644
    &gematik_selected_scopes=openid
    &gematik_selected_scopes=urn:telematik:email
    &gematik_selected_scopes=urn:telematik:versicherter
    &gematik_scope_decline_mode=RemoveClaims
    &gematik_override_health_id=ABC-Test-1
    &gematik_granted_scope_mode=IncludeOnlySelected

Available Users

Please see: https://github.com/gematik/app-gemSekIdp/blob/main/gsi-server/src/main/resources/versicherte.gesundheitsid.json

Advanced Testing

Web-Flow: Enable advanced testing​

Web-Flow: Advanced testing UI​

Parameters​

Using the API​

Example 1​

Example 2​

Example 3​

Example 4​

Available Users​