derivation of ".well-known/openid-configuration" url

[jog]

How do I derive the URL of the ".well-known/openid-configuration" endpoint for openid info?

The Cerner Millenium Authorization documentation says I can just take the iss url in the decoded access_token, and it works with the example url ("https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/"), but the URL being returned by the sandbox is "https://authorization.sandboxcerner.com/". Is that consistent with production URLs? Do I just do something like "{iss}/tenants/{tenant}/oidc/idsps/{tenant}/.well-known/openid-configuration"?

Thanks!

[Matt Randall (Cerner)]

The latter value you described is the issuer conveyed within in our access tokens, and is an internal detail to our implementation.  The former value you described is the issuer contained in our identity tokens that we issue, which is a public contract.  Can you confirm you're looking in the identity_token, and not the access_token?

[jog]

i'm not getting an identity_token back, just an access_token

I’m requesting the following scopes:

 

• patient/Patient.read
• user/Patient.read
• patient/Practitioner.read
• user/Practitioner.read
• launch/patient
• openid
• profile
• online_access

[Michele Mottini]

'id_token'

  - Michele

  CareEvolution Inc

[jog]

Thanks, but I'm not getting 'id_token' either

This is what the response I'm getting looks like:

{

    "access_token": "[base64]",

    "refresh_token": "[base64]",

    "patient": "4342010",

    "scope": "patient/Patient.read user/Patient.read patient/Practitioner.read user/Practitioner.read online_access",

    "token_type": "Bearer",

    "expires_in": 570

[Michele Mottini]

Sorry, don't know then. Double triple check that you are sending 'openid profile' in the scopes

  - Michele

  CareEvolution Inc

[Jenni Syed (Cerner)]

Do you happen to have the correlation id for one of your authorization responses (should be returned in a header)?

[jog]

Jenni,

Yes, here's a correlation id I just grabbed: c8cd662f-98f5-4398-89f3-5a0b950a8689

[jog]

That's just the initial request -- I don't have one from the completion post to the token uri. I can grab that if that's what you need

[Jenni Syed (Cerner)]

I can't find that correlation for some reason - but the only requests I see from today requesting practitioner read scopes don't include the full list of scopes you have above, the profile and openid scopes are missing, and the other scopes don't seem to be there (also note: the app shouldn't request both a user/Resource and patient/Resource scope for the same resource - they conflict).

I also don't see the launch/patient scope mentioned as a granted scope in the response you posted, which seems weird :)

Finally, double-check that your app profile in the code console shows that you have all those scopes granted for your application (especially launch/patient if that's the type of launch your application is doing).

If you can't get it working - post your app id and we can try to track down the specific instances.

~ Jenni

[jog]

Just tried only requesting patient/read, not user/read, still didnt get an identity token. Wanted to check that to see if it was because i was requesting conflicting scopes.

If you could look me up by the application Id, that'd be super helpful. Currently running against sandbox.

App id is 922e749e-21ea-4eed-9011-a8c8c8bd5542

Thanks!

[Matt Randall (Cerner)]

We don't currently have OpenID Connect enabled for patient workflows - I don't have an ETA yet for when it will be enabled in sandbox, unfortunately.

[jog]

I don't need the patient workflow -- just physician. The application we're working on is physician facing so I set my App Type to Provider.

[Jenni Syed (Cerner)]

The application is calling the incorrect authorization URL. It should be discovering that URL from the FHIR server metadata endpoint, rather than hardcoding.

What iss is your application passed when launched from the code console?

Also, launch/patient is an invalid scope for provider workflows. You need to use launch scope instead.

~ Jenni

[jog]

Yup, looks like that was the problem. I wasn't using the ISS passed in. Thanks! Will post again if I have any other issues.

[jog]

Getting id_token now, but still receiving the same ISS in the decoded "id_token", so i'm not sure how to derive openid config url based on instructions from docs

Following the instructions, which appear to be "append .well-known/openid-configuration to the iss", i get "https://authorization.sandboxcerner.com/.well-known/openid-configuration". Just getting a 404 there.

Decoded id token looks like this:

{
    "sub": "portal",
    "urn:com:cerner:authorization:claims": {
        "ver": "1.0",
        "tnt": "0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca",
        "azs": "openid profile online_access"
    },
    "azp": "5bb9906e-9c92-413b-a7eb-67cf0a55f93d",
    "iss": "https://authorization.sandboxcerner.com/",
    "exp": 1499364202,
    "iat": 1499363602,
    "jti": "9e5f528c-3308-43cd-b640-c610f2bf07c0",
    "urn:cerner:authorization:claims:version:1": {
        "ver": "1.0",
        "profiles": {
            "smart-v1": {
                "azs": "openid profile online_access"
            }
        },
        "client": {
            "name": ----,
            "id": ----
        },
        "user": {
            "principal": "portal",
            "persona": "provider",
            "idsp": "0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca",
            "principalUri": "https://millennia.sandboxcerner.com/instance/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/principal/0000.0000.0044.1D87",
            "idspUri": "https://millennia.sandboxcerner.com/accounts/fhirplay.temp_rho.cernerasp.com/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/login"
        },
        "tenant": "0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"
    }
}

[Jenni Syed (Cerner)]

Hi,

That looks like the access token, not the id_token. The id_token comes back in a separate parameter.

EG, requesting scopes: openid profile launch patient/Patient.read

"id_token"="eyJraWQiOiIyMDE3LTA3LTA2VDE1OjM0OjUzLjUzMy5yc2EiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvYXV0aG9yaXphdGlvbi5zYW5kYm94Y2VybmVyLmNvbVwvdGVuYW50c1wvMGI4YTAxMTEtZThlNi00YzI2LWE5MWMtNTA2OWNiYzZiMWNhXC9vaWRjXC9pZHNwc1wvMGI4YTAxMTEtZThlNi00YzI2LWE5MWMtNTA2OWNiYzZiMWNhXC8iLCJzdWIiOiJwb3J0YWwiLCJhdWQiOiJmaGlyLWxvY2FsIiwiZXhwIjoxNDk5MzY3MTY5LCJpYXQiOjE0OTkzNjY1NjksInByb2ZpbGUiOiJodHRwczpcL1wvZmhpci1laHIuc2FuZGJveGNlcm5lci5jb21cL2RzdHUyXC8wYjhhMDExMS1lOGU2LTRjMjYtYTkxYy01MDY5Y2JjNmIxY2FcL1ByYWN0aXRpb25lclwvNDQ2NDAwNyJ9.WSbkZarHuDmZAw-BuGf6QXkLkyHg-Hpza_JU4Zr6p6w9w4L7HmASVlGauBATMVvMVq1W5x6V6BvDVVAAWkWp-MpkD-8DN00UYzUaJt3XGjQ-FiLgliArdwAt_N97AXNjXqDPoB35-wE8iznBqwD6AXDFBbDFeYZs6oIXVzKER5zZnZZGiwDEsONc9pL_991HjsDPlqvKRkI_8811Ftxf-TdrIXaxjTHWw7bFbxgYDZEKDZpFi8B0lVuG-byl6iyc2Y07RcePCnx8hAwZDh4qba5VR9GptMXsF26xYGHCEOG-XrxXe1-NbtDh5wnPrkeHOAXghrgpr8SYDtDHe6fprQ"

Which is:

{
  "iss": "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/",
  "sub": "portal",
  "aud": ...,
  "exp": 1499367169,
  "iat": 1499366569,
  "profile": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"
}

Looking at your token above, it looks like the app may not have not requested any of the SMART scopes (launch). This scope has to be sent in order for the profile to be returned, so that context can be passed. 

This is a limitation we want to remove in the future, but it can't be removed yet.

Note: the app also has to pass in the launch parameter when requesting the launch scope, this parameter is sent to the application when it's launched from the code console.

[jog]

Just got back to this and yup, you are totally right. I was using the wrong token.

I switched to using ID token and have been able to get this whole thing actually working. I also stopped dealing with it at such a low level and started using microsoft's identity model implementation (didn't realize that covered this -- totally makes sense, just including that in case any other .NET devs are reading this later).

Super appreciative of your help -- last thing I'm trying to figure out is how to get the patient ID that was selected during launch

[jog]

Got it, just had to add the "launch" scope back in