Backend services Authentication

[Jaswanth K]

Hello Team,

I have followed the below url for authentication using backend services.

http://docs.smarthealthit.org/authorization/backend-services/

When I make a request, I received 404 Not Found response.

Following are the parameters I have passed in the request

URL:             https://authorize.smarthealthit.org/token

Method:       POST

Form Params:

      grant_type: client_credentials

      client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer

      scope: system/*.read system/CommunicationRequest.write                     client_assertion: ...

Following is the process I have followed for generating client_assertion,

Generated key using https://jwt.io/

Header:

{

  "alg": "RS256",

  "typ": "JWT"

}

Payload:

{

  "iss": " http://localhost:8080/cerner-poc-sandbox/",

  "sub": "client-id",

  "aud": "https://authorize.smarthealthit.org/token",

  "exp": 1422568860,

  "jti": "74142912334"

}

Generated token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIgaHR0cDovL2xvY2FsaG9zdDo4MDgwL2Nlcm5lci1wb2Mtc2FuZGJveC8iLCJzdWIiOiJmYzU4MjlmNS00ZjJlLTQ2ZTYtYjE0Yy0wYmM4YjYxOGMzNGYiLCJhdWQiOiJodHRwczovL2F1dGhvcml6ZS5zbWFydGhlYWx0aGl0Lm9yZy90b2tlbiIsImV4cCI6MTQyMjU2ODg2MCwianRpIjoiNzQxNDI5MTIzMzQifQ.kHL-yhGSjXJYnA09NEwEb_wtbCeuecFJeXU4ZGQ_bYS5tjtMbmwxwRjoHMkZ6AlSaTIQoQsFCEUYlbp33zq-6DNNFRGhkl2DvxIZPWBSvG9WBnq4nBXIhVxJDNDHon6GL97rHyma6OrXalqpDfriXB82U6PX408jvv04Oj9ZoWM

Did I miss anything ?

Please help.

Thanks,

Jaswanth

 

[Jenni Syed (Cerner)]

Hi Jaswanth,

Those look like the SMART Health IT servers and authorization services, not the Cerner services. Are you trying to call our FHIR server or the SMART FHIR server?

Jenni

[Jaswanth K]

Hi Jenni,

Are those two different ?

I see in the documentation that even Cerner uses SMART Health IT services for authorization (http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris).

I was able to pass the authentication process using browser by selecting a patient and launching the app. 

My requirement is that I need to authenticate Cerner server and use that accessToken for all further communication with Cerner.

All I need is an accessToken using backend services which I can use for retrieving patient list and other entities/resources. All the authentication and authorization part should happen at my server side.

Do we currently have any solution to do so ? 

Please help

[Jenni Syed (Cerner)]

We use the SMART standard, which is described on the SMART website. However, we do not use the sandbox that SMART has stood up. The authorization endpoints and secrets are specific to the Cerner FHIR implementation.

The registration steps are described here: http://fhir.cerner.com/authorization/#registration

As well as information on the steps an application must follow to authenticate.

~ Jenni

[Jaswanth K]

Thanks Jenni.

I have gone through the link you shared. I have one more question. 

Can we make the authorization without invoking the browser ? I mean without any user interaction.

I want to automate the authentication flow with just a rest call to my server irrespective of the devices making a request for authentication.

Thanks.

Jaswanth

[Jenni Syed (Cerner)]

We do allow access on behalf of a system (though not in production yet, and not available for all resources yet): http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

This cannot/should not be used in place of access on behalf of a user if your app is for practitioners or patients. OAuth should work on most devices that users use for clinical work today (eg: computer, phone, tablet, etc). If you use system-to-system, your app/system is then responsible for auditing access to the data by users, as well as enforcing privacy and sensitive data restrictions. These aren't things you should take on without a true use case that would require this type of interaction. 

Typically, access on behalf of a system is used when two separate/disparate systems are using FHIR to synchronize data, where there truly is no user interaction.

~ Jenni

[Matan Oppenheim]

 

Hi, I have the same need as Jaswanth. 

When would the "access on behalf of a system" mechanism be in production?

 Given I have no user interaction in my app - what can I do as a workaround in order to authenticate?

Thanks!

Matan

בתאריך יום רביעי, 26 באפריל 2017 בשעה 17:50:46 UTC+3, מאת Jenni Syed (Cerner):

[Jenni Syed (Cerner)]

I cannot comment on when it will be in production.

However, we are opening up this capability in sandbox for testing (knowing there may be issues, and not all resources are available yet for this). You can now request to register for the system account, following the instructions on the registration site: http://fhir.cerner.com/authorization/#registration

~ Jenni

[Matan Oppenheim]

Thanks

1.  "It requires a "confidential client application - right?

2. Does the system-to-system authorization in Cerner use JWT? (as mentioned here - http://docs.smarthealthit.org/authorization/backend-services)

בתאריך יום חמישי, 4 במאי 2017 בשעה 16:35:37 UTC+3, מאת Jenni Syed (Cerner):

[Jenni Syed (Cerner)]

It does require the client credentials grant of OAuth: http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

It does not use JWT: https://groups.google.com/d/msg/cerner-fhir-developers/gRUb__vvTdo/9GcfxOVwAAAJ

~ Jenni

[Joe Lee]

Is there support yet for backend services authentication with JWT for system accounts in your sandbox?

[Jenni Syed (Cerner)]

Not via JWT/the draft SMART backend services spec. We do support the client credentials grant in sandbox (not production): http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system