FHIR EPIC BACKEND SERVICES

[Sandra Anoop]

Hey Everyone,

Hope you are all doing good. Could anyone please guide me through the below issue we are facing for FHIR. Anyone who have worked on it and faced this issue before?

I am trying to build a patient care test portal here. I am able to successfully retrieve the sandbox data of a patient using OAUTH 2.0 - by choosing application audience as Patients.

Now we are switching over to backend system application. Basically I understand , apps without direct end user or patient interaction) can also use OAuth 2.0 authentication through the client_credentials OAuth 2.0 grant type from the documentation.

 I am trying to obtain the access token  in a postman request. I followed every instruction in the documentation - https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2Guide . 

But i am getting the following error in postman. We are kind of stuck here as we cant move forward without successfully obtaining the token.{

  "error": "invalid_client",

  "error_description": null

}

Postman screenshot : 

[Cyrus Bahrassa]

In my experience, that error indicates something about your JWT is incorrect. I would make sure you've included all the necessary claims and followed all the formatting requirements. If you can, post the header and payload of the JWT you are generating, as well as the signed and encoded JWT. jwt.io has a debugger as well on the main page that you can use to verify your JWT is properly constructed.

[Gregory Michalopoulos]

Hi,

I am experiencing the same issue as OP.  I have verified my JWT using the jwt.io debugger (attached).  As the error message has no information, what are the next steps to debug an issue like this?  

Thanks,

Greg

[Scott Rossignol]

When did you register your public key with the Epic server (within the app setup)? This sometimes takes a day to register. Your ISS and SUB fields should be the NONPRD keys. Your nbf and exp fields should be <= and >, respectively, the current time. This looks correct, but is tough to tell as I don't know when you actually sent the request.

[Gregory Michalopoulos]

I registered the public key towards the end of last week (Thursday or Friday).  I am using the non-production client id.  My ist field is the timestamp for when the request was generated.  

[Gregory Michalopoulos]

For closure on this, upon revisiting the documentation (https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2Guide) I discovered that I was passing POST parameters in the query string instead of the POST body.  When I moved them to the POST body, I was able to get an access token,  Thanks!

[Aydan Hanlon]

Hi all, 

I am also receiving the same error messages as OP and Greg. I have also successfully created the JWT. I have a couple questions regarding EPICs instructions: https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2Guide

1. Do I need to specify a "kid" in the header of the JWT? If so, where can I find the "kid"?

2. I also registered my public key with the Epic server in the app setup. Does this take a full day to be registered on their servers? 

3. I included the JWT in the body, not the header. Are there are learnings or common pitfalls that anyone has encountered when attempting to authenticate with Epic's sandbox?

Thank you very much. Any help you can provide would be greatly appreciated.

Best,

Aydan

[Sazzad Hossain Khan (Tushar)]

I am getting the same error although my JWT signature is verified.

[Sazzad Hossain Khan (Tushar)]

Here is my JWT generation code:

// JWT generation script adapted from

// https://gist.github.com/corbanb/db03150abbe899285d6a86cc480f674d

var jwtSecret = pm.environment.get('jwt_secret') || ''

console.log('jwtSecret:', jwtSecret)

// Set headers for JWT

var header = {

    'alg': 'RS384',

    'typ': 'JWT',

    // 'kid': '',

};

// Prepare timestamp in seconds

var currentTimestamp = Math.floor(Date.now() / 1000)

var data = {

    'iss': pm.environment.get('jwt_iss') || '',

    'sub': pm.environment.get('jwt_iss') || '',

    'aud': 'https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token',

    'jti': `myvisits_${currentTimestamp}`, // unique identifier for the JWT.    

    'exp': currentTimestamp + 5*60 - 15, // expiry time is 60 seconds from time of creation

    'nbf': currentTimestamp,

    'iat': currentTimestamp,

}

console.log('data:', data)

function base64url(source) {

    // Encode in classical base64

    // source = CryptoJS.enc.Utf8.parse(source)

    let encodedSource = CryptoJS.enc.Base64.stringify(source)

   

    // Remove padding equal characters

    encodedSource = encodedSource.replace(/=+$/, '')

   

    // Replace characters according to base64url specifications

    encodedSource = encodedSource.replace(/\+/g, '-')

    encodedSource = encodedSource.replace(/\//g, '_')

    console.log('base64url:', source, encodedSource)

    return encodedSource

}

// encode header

var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header))

var encodedHeader = base64url(stringifiedHeader)

// encode data

var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data))

var encodedData = base64url(stringifiedData)

// build token

var token = `${encodedHeader}.${encodedData}`

// sign token

var signature = CryptoJS.HmacSHA384(token, CryptoJS.enc.Base64.parse(jwtSecret))

signature = base64url(signature)

var signedToken = `${token}.${signature}`

pm.environment.set('jwt_signed', signedToken)

console.log('Signed and encoded JWT', signedToken)

[Josh Mandel]

Would recommend using a library to manage JWT generation. In JS, https://www.npmjs.com/package/jose is a good place to start. 

To understand more about what's going wrong here, see https://chat.openai.com/share/66cedf56-44ba-442e-8730-d1936732ef2a

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/e50e6f91-925f-436a-a8cc-60ce23f672a2n%40googlegroups.com.

[Tim]

" 1. Do I need to specify a "kid" in the header of the JWT? If so, where can I find the "kid"?"

When you upload your public key on Epic it gives you a thumbprint for that public key -- that's the kid. (key id)

[Srenivasan K S]

Hi guys I've entered the kid in the header and all the necessary claims needed and even my jwt is verified and i even have my public key hosted in a site, but still i get the same error as invalid client.
Please do help me guys