Facing invalid_grant for system account

254 views
Skip to first unread message
Assigned to Fenil....@cerner.com by me

BhushAN ChavAN

unread,
Jun 27, 2022, 9:27:36 AM6/27/22
to Cerner FHIR Developers
Hi,

i am facing invalid_grant error for authorization request using system account 

client id d39d4843-9ea8-4b65-9421-5a49affb9e13


headers -
Content-Type: application/x-www-form-urlencoded
Authorization : Basic <Base64 decoded client credentials>

body - 
grant_type=client_credentials&scope=system/Observation.read,system/Patient.read&client_id=d39d4843-9ea8-4b65-9421-5a49affb9e13

Also in metadata i am not getting resource list 
{
    "resourceType": "CapabilityStatement",
    "url": "https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/metadata",
    "name": "CernerCapabilityStatement",
    "title": "Cerner Capability Statement",
    "status": "active",
    "date": "2022-06-27",
    "publisher": "Cerner",
    "description": "Cerner implementation of FHIR on top of Millennium",
    "kind": "instance",
    "implementation": {
        "description": "Cerner implementation of FHIR on top of Millennium",
        "url": "https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d"
    },
    "fhirVersion": "4.0.1",
    "format": [
        "json",
        "application/fhir+json"
    ],
    "patchFormat": [
        "application/json-patch+json"
    ],
    "rest": [
        {
            "mode": "server",
            "documentation": "Cerner implementation of FHIR on top of Millennium",
            "security": {
                "extension": [
                    {
                        "extension": [
                            {
                                "valueUri": "https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token",
                                "url": "token"
                            },
                            {
                                "valueUri": "https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token/revoke",
                                "url": "revoke"
                            },
                            {
                                "valueUri": "https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize",
                                "url": "authorize"
                            },
                            {
                                "valueUri": "https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/personas/provider/my-authorizations",
                                "url": "manage"
                            },
                            {
                                "valueUri": "https://authorization.sandboxcerner.com/tokeninfo",
                                "url": "introspect"
                            }
                        ],
                        "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris"
                    }
                ],
                "cors": true,
                "service": [
                    {
                        "coding": [
                            {
                                "system": "http://terminology.hl7.org/CodeSystem/restful-security-service",
                                "code": "SMART-on-FHIR"
                            }
                        ],
                        "text": "OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org/)."
                    }
                ],
                "description": "OAuth2 plus SMART extensions"
            },
            "resource": [
                {
                    "type": "CapabilityStatement",
                    "interaction": [
                        {
                            "code": "read"
                        }
                    ]
                }
            ]
        }
    ]
}


Fenil Desani (Oracle Cerner)

unread,
Jul 1, 2022, 1:44:30 PM7/1/22
to Cerner FHIR Developers
Hello, 

ec2458f2-1e24-41c8-b71b-0e701af7583d is the tenantID for our public Sandbox which is of the production capacity. To connect with our public Sandbox you need a System Account in CernerCentral.com as mentioned here - http://fhir.cerner.com/authorization/#registering-a-system-account

Also, the metadata URL would be:

Thanks,
Fenil

BhushAN ChavAN

unread,
Jul 6, 2022, 7:19:59 AM7/6/22
to Cerner FHIR Developers
Thanks Fenil.

As you mentioned  tenantID ec2458f2-1e24-41c8-b71b-0e701af7583d is of sandbox, so i have changed it to non-prod tenantID 9747a414-e12d-420b-8778-99d162ddb562


client id -  d39d4843-9ea8-4b65-9421-5a49affb9e13

now i am getting unauthorized_client

method - POST
x-url-encoded-data
grant_type - client_credentials
scope - system/Patient.read

Header - 
Authorization - Basic <clientID:Secrete Base 64 decoded>


Access-Control-Allow-Headers →Content-Type, Authorization, Accept, Cerner-Correlation-Id
Access-Control-Allow-Methods →OPTIONS, POST
Access-Control-Allow-Origin →*
Cache-Control →no-store
Cerner-Correlation-ID →9636f926-26f2-4085-9251-ce70a6a1faa0
Connection →keep-alive
Content-Length →321
Content-Type →application/json;charset=UTF-8
Date →Wed, 06 Jul 2022 11:15:18 GMT
Expect-CT →enforce, max-age=30
Pragma →no-cache
Server →cloud_authorization_server1


can you confirm all these parameters are correct or should i need to create separate account on code-console?

Fenil Desani (Oracle Cerner)

unread,
Jul 6, 2022, 11:47:51 AM7/6/22
to Cerner FHIR Developers
Your App has not been allowListed for non-prod tenantID 9747a414-e12d-420b-8778-99d162ddb562.
Either the Health Organization would need to request allowListing by logging an SR or if you are part of the code program, please reach out through your uCern group!

BhushAN ChavAN

unread,
Jul 21, 2022, 9:18:39 AM7/21/22
to Cerner FHIR Developers
Hi Fenil,

i dont want to connect non-prod tenant 9747a414-e12d-420b-8778-99d162ddb562 as of now, 
I have to connect public sandbox using system account, we already registered it on code-console

App Name
SystemApp
App ID
2ef9c25b-0193-4f01-a83d-8cdf664c1ac2
Client ID
d39d4843-9ea8-4b65-9421-5a49affb9e13
App Type
System
Type of Access
-
App Privacy
Confidential


i have revised my authorization url as authorization.cerner.com, now i am getting invalid client credentials , could you please help us to resolve it.

curl -X POST \
  https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token \
  -H 'Accept: application/json' \
  -H 'Authorization: Basic <Base 64 encoded client_id:secrete>' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Postman-Token: 655d6b77-04c3-9f89-7da3-45d39382466a' \
  -d 'grant_type=client_credentials&scope=system%2FPatient.read&client_id=d39d4843-9ea8-4b65-9421-5a49affb9e13'

response - 

Fenil Desani (Cerner)

unread,
Jul 21, 2022, 11:03:50 AM7/21/22
to Cerner FHIR Developers
So our domain naming scheme is little awkward. For System Apps, there are two steps, 1) Create a System Account 2) Use the System Account to create a System App.

Screen Shot 2022-07-21 at 9.59.58 AM.png

Based on the above Information, for your case, 
If you need to connect with our public Sandbox, you would need a System Account in  https://cernercentral.com/system-accounts and register a corresponding App on 
If you need to connect with client's non-PROD domain, since you already have a System Account in https://sandboxcernercentral.com/system-accounts, you would need to register you App in https://code-console.sandboxcerner.com/ OR Reach out to Cerner.

Hope that helps!

Thanks,
Fenil

Reply all
Reply to author
Forward
0 new messages