Invalid client for sandbox oauth with system application

133 views

authorizationsystem_app

Skip to first unread message

Assigned to aaron....@oracle.com by me

Robert Jones

unread,

Feb 17, 2021, 4:09:14 PM2/17/21

to Cerner FHIR Developers

Hi,

I'm trying to get the System OAuth flow working for my application. I've followed the directions for setting up a system account and created an app to go with it.

My Client ID is: e9159c16-e07c-41f3-8654-a16e0c19dced

I tried getting the token following the steps here: http://fhir.cerner.com/authorization/#system-authorization

I'm base64 encoding the the the 'Basic' auth credentials and posting to the sandbox authorization url using the sandbox tenant ID. Here's the URL:

https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token

The response I get is:

{"error":"invalid_client"}

The 'Cerner'Correlation-ID' for this request is:

'Cerner-Correlation-ID': '29058a31-b5a2-4cf6-9aca-ceb202de36fe'

Any help is appreciated here:

Thanks,

Rob

Aaron McGinn (Cerner)

unread,

Feb 17, 2021, 4:23:00 PM2/17/21

to Cerner FHIR Developers

It looks like you are using the incorrect base URL to discover the authorization endpoint. You can find it in your app details within the code portal [1].

https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d

[1] https://code.cerner.com/developer/smart-on-fhir/apps

-Aaron (Cerner)

Robert Jones

unread,

Feb 17, 2021, 4:32:50 PM2/17/21

to Cerner FHIR Developers

Thanks for responding Aaron.

I thought that was specifically for requesting authorization on behalf of a user. The outline at this link implies as much: https://fhir.cerner.com/authorization/

My app type is System. Based on my understanding, I need to do the offline access flow. Our application is for scheduling and frequently updates schedules and slots in a background process, i.e. no user interaction.

What am I missing here?

Thanks,

Rob

Aaron McGinn (Cerner)

unread,

Feb 17, 2021, 4:38:58 PM2/17/21

to Cerner FHIR Developers

For a system app [1], you will have to have pre-configured the FHIR server base URL. You will then need to discover the authorization server [2]. You can see an overview of the full context-less workflow here [3].

[1] https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

[2] https://fhir.cerner.com/authorization/authorization-specification/#discovery

[3] https://fhir.cerner.com/authorization/authorization-specification/#contextless-flow

-Aaron (Cerner)

Robert Jones

unread,

Feb 17, 2021, 8:09:53 PM2/17/21

to Cerner FHIR Developers

Thanks. The discovery portion is what I was missing.

I'll be accessing system resources so it seems the client credentials flow is the appropriate model.

[0] https://fhir.cerner.com/authorization/authorization-specification/#client-credentials-flow