Using Ruby Client for server side access to cerner FHIR/Authorization endpoints

[Daya]

Hello,

I am using the recommended Ruby client library for FHIR/OAuth2, following are my app registration details

Client Id: ea8c6477-cd97-4769-a791-2a91d7ad42b9

App Id: 5d7353a0-8d8d-4921-9596-2a41cbaee631

Redirect URI: https://localhost:3000/smart-on-fhir

App Type: provider

FHIR Spec: dstu2 - "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"

Authorized: true

Scopes: .....

This app is intended to be used by nurses to access patient data.

Here is very simple ruby script I use to test basic OAuth2 access to Cerner sandbox  and here is the output showing invalid client error returned. 

{"error":"invalid_client","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/c6d8d822-3cc6-434f-9b25-fe00194b4814?client=unknown&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"}

Do I need a client_secret to successfully authenticate in sandbox? If so where can I find one.

I have also tried to use the 'dstu2' branch and that doesn't seem to be working out of the box, complains about missing 'fhir_models'

Thanks in advance for your help.

Best Regards,

Daya

[Max Philips (Cerner)]

Hello Daya,

That Ruby client library is not maintained by Cerner. You may want to get in contact with the code owners if you have questions about using different branches of the project.

I noticed that the script you posted is making a request to the fhir-myrecord endpoint - this is our patient access endpoint. If your app is intended for use by nurses you will want to use fhir-ehr for provider access.

Check out this documentation for using our authorized endpoints: https://fhir.cerner.com/authorization/

You'll need to register access scopes for your application, and make a request to our Authorization server with the access scopes you registered. The Authorization server will dispense an access token you can use for your FHIR server requests.

Thanks,

Max (Cerner)

[Daya]

Hi Max,

I tried with https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca but I get

{"error":"invalid_client","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/61ab5ffd-89fc-4195-ab71-b1f5bbe37157?client=unknown&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"}

Questions:

1. Is this because client_secret is null/blank?
   
2. Do I need client_secret for OAuth in sandbox?
3. If I use client side javascript for OAuth dance and accessing FHIR resources, will I need client_secret if yes then how can I secure it unless I use server side?
   

Thanks in advance.

Best Regards,

Daya

[Daya]

Hi Max,

I tried with https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca but I get

{"error":"invalid_client","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/61ab5ffd-89fc-4195-ab71-b1f5bbe37157?client=unknown&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"}

Questions:

1. Is this because client_secret is null/blank?
   
2. Do I need client_secret for OAuth in sandbox?
3. If I use client side javascript for OAuth dance and accessing FHIR resources, will I need client_secret if yes then how can I secure it unless I use server side?
   

Thanks in advance.

Best Regards,

Daya

On Tuesday, October 2, 2018 at 11:08:55 AM UTC-5, Max Philips (Cerner) wrote:

[Daya]

Hi

Upon further debugging the issue of client unknown when acquiring access_token I think Cerner sandbox is not recognizing my registered app. Any ideas why?

I, [2018-10-02T12:15:39.294624 #26755]  INFO -- : Configuring the client to use OpenID Connect OAuth2 authentication.
I, [2018-10-02T12:15:40.156072 #26755]  INFO -- : post https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token
D, [2018-10-02T12:15:40.156294 #26755] DEBUG -- request: User-Agent: "Faraday v0.12.2"
Content-Type: "application/x-www-form-urlencoded"
I, [2018-10-02T12:15:40.156435 #26755]  INFO -- Status: 401
D, [2018-10-02T12:15:40.156564 #26755] DEBUG -- response: www-authenticate: "Basic realm=\"CernerCare\""
access-control-allow-origin: "*"
access-control-allow-methods: "OPTIONS, POST"
access-control-allow-headers: "Content-Type, Authorization, Accept, Cerner-Correlation-Id"
cache-control: "no-store"
pragma: "no-cache"
cerner-correlation-id: "91a339f2-06b8-4767-8f6f-ed6df985ebef"
content-type: "application/json;charset=UTF-8"
content-length: "285"
date: "Tue, 02 Oct 2018 17:15:39 GMT"
server: "cloud_authorization_server1"
connection: "close"
strict-transport-security: "max-age=631138519; includeSubDomains"
OAuth2::Error: invalid_client:
{"error":"invalid_client","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/91a339f2-06b8-4767-8f6f-ed6df985ebef?client=unknown&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"}

-daya

[Jenni Syed (Cerner)]

Hi Daya,

Based on your trace below, I don't see the body, so it's hard to say explicitly *why* it's missing, but I suspect the POST body and/or authorization header is missing the required fields as described on our authorization documentation (and shown in examples). Specifically, at least your client id is missing, and there could be other pieces missing depending on the grant type the app is using. How is your application registered in the code console? Does it do access on behalf of a user (patient or provider type)? Or access on behalf of a system (system type)?

You can see the steps to register, and that there's an additional step required if your application requires offline_access (the only use case we support for confidential apps) or requires access on behalf of a system/without a user being logged in: https://fhir.cerner.com/authorization/#registration

Also, for future reference, we usually need just the correlation id (if an error from authorization) or the x-request-id (if an error on the FHIR server) to troubleshoot. If we need more info, we can reach out to you. This approach helps avoid posting sensitive information to public groups, especially once your app moves to prod :)

~ Jenni

[Daya Sharma]

Hi Jenni,

Thanks for your  response as mentioned earlier, the app is registered App Type: provider the app is designed for nurses to access patient and receive reminders even without active session.

The client_id is invisible because of log levels but is a part of the HTTP call.

Regards,

Daya

--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/djdi2I90jxo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/8b161d12-92cc-4d67-841b-7e16b34d6fd4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daya]

Hi Jenni,

Could you please confirm that OAuth2 implementation of Cerner SMART on FHIR does not use client_secret at all? only client_id is required? since that's what I see in many examples including this https://github.com/cerner/smart-on-fhir-tutorial where client_secret is not used at all.

Regards,

~Daya

On Tuesday, October 2, 2018 at 1:41:01 PM UTC-5, Daya wrote:

Hi Jenni,

Thanks for your  response as mentioned earlier, the app is registered App Type: provider the app is designed for nurses to access patient and receive reminders even without active session.

The client_id is invisible because of log levels but is a part of the HTTP call.

Regards,

Daya

On Tue, Oct 2, 2018 at 1:15 PM 'Jenni Syed (Cerner)' via Cerner FHIR Developers <cerner-fhir-developers@googlegroups.com> wrote:

Hi Daya,

Based on your trace below, I don't see the body, so it's hard to say explicitly *why* it's missing, but I suspect the POST body and/or authorization header is missing the required fields as described on our authorization documentation (and shown in examples). Specifically, at least your client id is missing, and there could be other pieces missing depending on the grant type the app is using. How is your application registered in the code console? Does it do access on behalf of a user (patient or provider type)? Or access on behalf of a system (system type)?

You can see the steps to register, and that there's an additional step required if your application requires offline_access (the only use case we support for confidential apps) or requires access on behalf of a system/without a user being logged in: https://fhir.cerner.com/authorization/#registration

Also, for future reference, we usually need just the correlation id (if an error from authorization) or the x-request-id (if an error on the FHIR server) to troubleshoot. If we need more info, we can reach out to you. This approach helps avoid posting sensitive information to public groups, especially once your app moves to prod :)

~ Jenni

--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.

To post to this group, send email to cerner-fhir-developers@googlegroups.com.

[Jenni Syed (Cerner)]

Hi Daya,

We only use the confidential client workflow for patient offline_access. You can see this question called out in the FAQ on the authorization page (as well as mentioned in the registration section): https://fhir.cerner.com/authorization/#frequently-asked-questions. 

For public apps (applications that do not have server-side calls/capabilities to protect secrets), the secret does not provide value for an application.

~ Jenni