Not able to generate token on cerner fhir

[Vijay Amirtharaj Xavier]

Hi

I am not able to generate the Token from cerner using POSTMAN.

Below is the details what I used on my POSTMAN.

My Client ID : 53c6f356-b9b5-4c34-855a-f2b538ae44c4

Token Url : https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token

Auth Url : https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize

Redirect Url : https:/localhost:8080

Scope : system%2FObservation.read%20system%2FPatient.read

Grant Type : Authorization Code

====================BUT I AM GETTING ERROR ============

"MyApp" was attempting to request access to healthcare data with Abilities Center (C1941); unfortunately, the application doesn't appear to be compatible. If you require further assistance, please contact support.

Information to provide to Technical Support

Correlation ID:

476645e7-c5da-4b31-b5c4-26084df67393

Information to provide to MyApp

The requested redirect URI does not match the one registered for "MyApp".

Error Code:

urn:cerner:error:authorization-server:oauth2:grant:invalid-redirect-uri

Cerner's developer portal may provide useful information to assist in resolving this issue.

Kindly let me know what needs to be done to get the Token.

Thanks & Regards

Vijay Amirtharaj

[Vijay Amirtharaj Xavier]

Hi,

Now I am getting error as mentioned below:

Response Header :

Location: https://localhost:8080?error=access_denied&error_uri=https%3A%2F%2Fauthorization.cerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Adenied-by-server%2Finstances%2Fc6e814e1-0d98-45df-a5e3-1f54c186fd55%3Fpersona%3Dprovider%26client%3D53c6f356-b9b5-4c34-855a-f2b538ae44c4%26tenant%3Dec2458f2-1e24-41c8-b71b-0e701af7583d

Pragma: no-cache

Server: cloud_authorization_server1

Strict-Transport-Security: max-age=631138519; includeSubDomains

Error: [object Object]

Please let me know what needs to be done.

Thanks

Vijay Amirtharaj

[Vijay Amirtharaj Xavier]

Request Headers

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) PostmanCanary/8.10.0-canary210729-1340 Chrome/87.0.4280.88 Electron/11.1.1 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: none

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US

▶Response Headers

Cache-Control: no-store

Cerner-Correlation-ID: 98429652-c40d-4826-a3ca-740761c37809

Connection: keep-alive

Content-Length: 0

Date: Thu, 28 Oct 2021 06:50:14 GMT

Expect-CT: enforce, max-age=30

Keep-Alive: timeout=30

Location: https://localhost:8080?error=access_denied&error_uri=https%3A%2F%2Fauthorization.cerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Adenied-by-server%2Finstances%2F98429652-c40d-4826-a3ca-740761c37809%3Fpersona%3Dprovider%26client%3D53c6f356-b9b5-4c34-855a-f2b538ae44c4%26tenant%3Dec2458f2-1e24-41c8-b71b-0e701af7583d

Pragma: no-cache

Server: cloud_authorization_server1

Strict-Transport-Security: max-age=631138519; includeSubDomains

On Wednesday, October 27, 2021 at 1:51:10 PM UTC+5:30 Vijay Amirtharaj Xavier wrote:

[Fenil Desani (Cerner)]

Hello,

System App needs to follow client credentials workflow - http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

Thanks,

Fenil

[JVA INFOTECH]

Hi Fenil

Thanks for your response.

I have tried the following as per the document reference link what you referred and still I am not able to get through the Token.

curl -v -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token'   -H 'Accept: application/json'   -H 'Authorization: Basic ( base64 "SYSTEM_ACCOUNT_CLIENT_ID:SYSTEM_ACCOUNT_CLIENT_SECRET")'   -H 'Content-Type: application/x-www-form-urlencoded'   -H 'cache-control: no-cache'   -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2Fuser/Appointment.read'

Output Response : 

Note: Unnecessary use of -X or --request, POST is already inferred.

*   Trying 159.140.206.14:443...

* TCP_NODELAY set

* Connected to authorization.cerner.com (159.140.206.14) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/certs/ca-certificates.crt

  CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: C=US; ST=Missouri; L=Kansas City; jurisdictionC=US; jurisdictionST=Delaware; O=Cerner Corporation; businessCategory=Private Organization; serialNumber=2103665; CN=authorization.cerner.com

*  start date: Mar 11 17:27:37 2020 GMT

*  expire date: Mar 11 17:57:36 2022 GMT

*  subjectAltName: host "authorization.cerner.com" matched cert's "authorization.cerner.com"

*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M

*  SSL certificate verify ok.

> POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1

> Host: authorization.cerner.com

> User-Agent: curl/7.68.0

> Accept: application/json

> Authorization: Basic ( base64 "SYSTEM_ACCOUNT_CLIENT_ID:SYSTEM_ACCOUNT_CLIENT_SECRET")

> Content-Type: application/x-www-form-urlencoded

> cache-control: no-cache

> Content-Length: 94

> 

* upload completely sent off: 94 out of 94 bytes

* OpenSSL SSL_read: Connection reset by peer, errno 104

* Closing connection 0

curl: (56) OpenSSL SSL_read: Connection reset by peer, errno 104

Please let me know what needs to be done.

Thanks

Vijay Amirtharaj

[Fenil Desani (Cerner)]

Just for sanity check, SYSTEM_ACCOUNT_CLIENT_ID:SYSTEM_ACCOUNT_CLIENT_SECRET are actually being replaced by actual values and base64 encoded before sending it in Auth Header?

[JVA INFOTECH]

Yes, I replaced the actual values  as like export SYSTEM_ACCOUNT_CLIENT_ID="53c6f356-b9b5-4c34-855a-f2b538ae44c4"

as well client secret.

Eg :-

export SYSTEM_ACCOUNT_CLIENT_ID="53c6f356-b9b5-4c34-855a-f2b538ae44c4"

export SYSTEM_ACCOUNT_CLIENT_SECRET="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

curl -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \

  -H 'Accept: application/json' \

  -H 'Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)' \

  -H 'Content-Type: application/x-www-form-urlencoded' \

  -H 'cache-control: no-cache' \

  -d 'grant_type=client_credential&scope=system%2FObservation.read%20system%2Fuser/Appointment.read'

but still same error as I mentioned previous post.

Awaiting for the solution.

Thanks

Vijay Amirtharaj

[Fenil Desani (Cerner)]

I do not see any System Account associated with 53c6f356-b9b5-4c34-855a-f2b538ae44c4

To make sure, there are two steps for a System App registration.

First, registering a System Account and then registering a System App associated with that System Account. 

The details can be found here http://fhir.cerner.com/authorization/#registering-a-system-account 

[Vijay Amirtharaj Xavier]

Hi Fenil,

Thanks for your response, As per the reference link, I have re-created the App and linked with System Account with new client_id :  774d24ee-0df7-4ecb-b06b-742c4697912a

But still I am not getting token, can you please let me know is this Id got linked with system account and what else to be done.

Please do the needful.

Thanks

Vijay Amirtharaj

[Fenil Desani (Cerner)]

So looks like now your System Account and System App are correctly correlated.
What error do you get? After registering the App you need to wait approx.10-15 min. for the changes to propagate. 

[Vijay Amirtharaj Xavier]

Hi,

After I have execute the curl the following the results are generated.

curl -v -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token'   -H 'Accept: application/json'   -H 'Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)'   -H 'Content-Type: application/x-www-form-urlencoded'   -H 'cache-control: no-cache'   -d 'grant_type=client_credential&scope=system%2FObservation.read%20system%2Fuser/Appointment.read'

Response:-

> Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)

> Content-Type: application/x-www-form-urlencoded
> cache-control: no-cache
> Content-Length: 93
>
* upload completely sent off: 93 out of 93 bytes

* OpenSSL SSL_read: Connection reset by peer, errno 104
* Closing connection 0
curl: (56) OpenSSL SSL_read: Connection reset by peer, errno 104

Please let me know where I am making mistakes to generate the Token.

Thanks

Vijay Amirtharaj

--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/WWK3F6VdwR8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/22b6656e-025f-4594-bf39-4e35caa71535n%40googlegroups.com.

--

Thanks & Regards

Vijay Amirtharaj X

+91-7010246798

------------------------

[Fenil Desani (Cerner)]

This "system%2Fuser/Appointment.read'" does not seem to be a valid scope.

[JVA INFOTECH]

Hello Fenil,

Thanks for the quick response, I want to extract patient id  from Appointment.read based on providers and also need to fetch the patient demographics, observations, conditions, careplan etc as read access based on  patient id , so I would like to know which is the best scope to be entered. 

Please suggest.

Thanks

Vijay Amirtharaj

---

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/9b548086-bc47-4f98-afc5-e1e36c5738d9n%40googlegroups.com.

[Fenil Desani (Cerner)]

Since you have a System App, you need to use system related scopes for each resource.

http://fhir.cerner.com/authorization/authorization-specification/#a1-resource-scope-syntax

http://fhir.cerner.com/authorization/authorization-specification/#scopes

[Vijay Amirtharaj Xavier]

Hello Fenil,

As per your reference link I have set scope as system/Patient.read, but still i am not getting through the Token. 

I have tried both curl & postman but no luck, I am not sure where we make the mistakes. 

This time I have converted the client:secret with base64 and then sent through Authorization as Basic auth, but still not getting the token. 

Please find the below is the console log of Postman.

POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1

cache-control: no-cache

Authorization: Basic ******Nzc0ZDI0Z=*********

User-Agent: PostmanRuntime/7.26.8

Accept: */*

Postman-Token: 2dae5fd3-ea87-420f-bf11-bbc7cc137bca

Host: authorization.cerner.com

Content-Type: application/x-www-form-urlencoded

Content-Length: 57

Cookie: _ga=GA1.2.1676141304.1633892139

grant_type=client_credentials&scope=system%2FPatient.read

HTTP/1.1 400 Bad Request

Expect-CT: enforce, max-age=30

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: OPTIONS, POST

Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Cerner-Correlation-Id

Cache-Control: no-store

Pragma: no-cache

Cerner-Correlation-ID: 06a33ffa-f2b0-4865-97dd-bf9d64ac6230

Content-Type: application/json;charset=UTF-8

Content-Length: 296

Date: Tue, 07 Dec 2021 04:55:41 GMT

X-Cnection: close

Server: cloud_authorization_server1

Strict-Transport-Security: max-age=631138519; includeSubDomains

{"error":"invalid_client","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aterminated-client/instances/06a33ffa-f2b0-4865-97dd-bf9d64ac6230?client=774d24ee-0df7-4ecb-b06b-742c4697912a&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}

Show pretty log

Please help me to get the token generation.

Thanks

Vijay Amirtharaj

[Fenil Desani (Cerner)]

Based on the failure, your App seems to be passing clientid=774d24ee-0df7-4ecb-b06b-742c4697912a which does not seem to be a registered App on our code COnsole.

[Vijay Amirtharaj Xavier]

Hello Fenil,

After we recreated the App and we have linked the account id  registered with code.console portal and we have got the new client_id : 774d24ee-0df7-4ecb-b06b-742c4697912a, we have confirmed this new client_id after decode the Basic Authentication Token, it shows the same client_id. Also your previous response you had said System app correlated correctly. Please let me know what is the exact issue and what needs to be done. 

Thanks

below is your previous reply:-
Fenil Desani (Cerner)

Dec 6, 2021, 8:35:45 PM (yesterday) 







to Cerner FHIR Developers

So looks like now your System Account and System App are correctly correlated.
What error do you get? After registering the App you need to wait approx.10-15 min. for the changes to propagate. 



[Fenil Desani (Cerner)]

Hello Vijay,

I'm not sure what the disconnect is on your side, but all the steps for creating a System App are explicitly mentioned here - http://fhir.cerner.com/authorization/#registering-a-system-account

Your first create the System account. You then register a System App using the AccountID you receive from your System Account. And then try to authorize.

Right now I see, you have already created a System Account with ID: 774d24ee-0df7-4ecb-b06b-742c4697912a
The next step is to register the System App using that Account and then follow - http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

Thanks,

Fenil

[Vijay Amirtharaj Xavier]

Hello Fenil,

I've created a brand new FHIR app with the new System Account ID and Linked as per your reference link.

Now I can able to generate the new token. Thank you so much for your support.

Thanks 
Vijay Amirtharaj