Is it possible to authorize and make webservice calls using a Java client?

[Abakash Samal]

Hello,

I am writing a java client to get patient information. I was successfully able to get patient info using the rest url from the cerner open sandbox below:

https://fhir-open.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/Patient/2

Is it possible to do the same using the secure url as specified below with authorization?

https://fhir-ehr.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/Patient/2

I am getting the error below:

Authentication error: Unable to respond to any of these challenges: {bearer=WWW-Authenticate: Bearer realm="fhir-ehr.sandboxcerner.com"}

I even did the authorization steps listed below:

1) Created a cerner id

2) Created a new App and got a client id. I specified dummy launch and redirect urls.

I don't know how to use the above information for making secure restful webservice calls?

Thanks,

-Ab

[Michele Mottini]

Is it possible to do the same using the secure url as specified below with authorization?

https://fhir-ehr.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/Patient/2

Yes, but you need to authenticate using SMART (OAuth2) as detailed here

  - Michele

  CareEvolution Inc

[Abakash Samal]

Thanks for your help Michele.

I am following the information from the link you sent me. I did the following steps. 

Got stuck trying to request an authorization code. It gave me the identify service redirect page as output instead of an authorization code.

1) Registration:

I went to http://fhir.cerner.com/dstu2/authorization/ and registered my app, dstu2_rest_ws.

Got a username/password. I specified some dummy launch/redirect uri.

2) Requesting an authorization code

I am using the below URI.

 url = new URL (

              "https://authorization.sandboxcerner.com/tenants/d075cf8b-3261-481d-97e5-ba6c48d3b41f/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?" +

               "response_type=code" + "&" + 

              "client_id=5c3039a6-90a1-40b0-9171-74d2a354b163" + "&" +                  

              "aud=https://fhir-myrecord.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/" + "&" +               

              "scope=launch/patient,patient/Patient.read" + "&" +               

              "redirect_uri=http://localhost:8080/CernerDstu2/index.html"               

              );

I got the identiry service provider redirect page below:

<!doctype html><html><head><title>Identity service provider redirect page</title><script type="text/javascript">window.onload = function() { sessionStorage.setItem('clientId', '5c3039a6-90a1-40b0-9171-74d2a354b163');  sessionStorage.setItem('tenantId', 'd075cf8b-3261-481d-97e5-ba6c48d3b41f');  sessionStorage.setItem('idspId', 'd075cf8b-3261-481d-97e5-ba6c48d3b41f');  sessionStorage.setItem('persona', 'provider');  window.location.replace('https://authorization.sandboxcerner.com/session-api/realm/d075cf8b-3261-481d-97e5-ba6c48d3b41f?to=https://authorization.sandboxcerner.com/tenants/d075cf8b-3261-481d-97e5-ba6c48d3b41f/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?response_type%3Dcode%26client_id%3D5c3039a6-90a1-40b0-9171-74d2a354b163%26aud%3Dhttps://fhir-myrecord.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/%26scope%3Dlaunch/patient,patient/Patient.read%26redirect_uri%3Dhttp://localhost:8080/CernerDstu2/index.html'); }</script></head><body><noscript><a href="https://authorization.sandboxcerner.com/session-api/realm/d075cf8b-3261-481d-97e5-ba6c48d3b41f?to=https://authorization.sandboxcerner.com/tenants/d075cf8b-3261-481d-97e5-ba6c48d3b41f/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?response_type%3Dcode%26client_id%3D5c3039a6-90a1-40b0-9171-74d2a354b163%26aud%3Dhttps://fhir-myrecord.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/%26scope%3Dlaunch/patient,patient/Patient.read%26redirect_uri%3Dhttp://localhost:8080/CernerDstu2/index.html">Click here to continue to login</a></noscript></body></html>

[Michele Mottini]

Scopes are space separated, not comma separated. 

Not sure what you mean with 'dummy redirect URI' - you should specify the actual redirect url of your app.

  - Michele

  CareEvolution Inc

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-developers+unsub...@googlegroups.com.
To post to this group, send email to cerner-fhir-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/ad9a9579-add9-4d6c-8772-1cac819f3707%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Abakash Samal]

It is a valid application url as below:

SMART Launch URI: http://localhost:8080/CernerDstu2/launch.html

Redirect URI: http://localhost:8080/CernerDstu2/index.html

But I am making the webservice REST GET calls from a java client and don't need those urls if know what I mean.

My application is a Java client making those restful webservice calls. 

So for example to get the authorization code, I am making the two webservice calls.

a) Get authorize url using metadata

   url = new URL ("https://fhir-ehr.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/metadata");

b) Use authorize url from above and get authorization code

 "https://authorization.sandboxcerner.com/tenants/d075cf8b-3261-481d-97e5-ba6c48d3b41f/protocols/oauth2/profiles/smart-v1/personas/patient/authorize?" + 

    "response_type=code&" + 

    "client_id=5c3039a6-90a1-40b0-9171-74d2a354b163&" +  

    "launch=http://localhost:8080/CernerDstu2/launch.html&" +

    "aud=https://fhir-myrecord.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/&" +

    "scope=launch/patient,patient/Patient.read&" +               

    "redirect_uri=http://localhost:8080/CernerDstu2/index.html"

To post to this group, send email to cerner-fhir...@googlegroups.com.

[Michele Mottini]

I see now.

You have to use an embedded or external browser called by your Java app, you cannot call that page directly, it needs to be able to display a (HTML) login form to the user and get his/her credentials

  - Michele

  CareEvolution Inc

 

[Abakash Samal]

I have an application with http://localhost:8080/CernerDstu2/index.html page running in tomcat webserver.

So ok I opened up the html page returned to the service. Logged in using the credentials provided when I registered my app.

But I still get an error with access denied. What credentials should I use to login?

http://localhost:8080/CernerDstu2/index.html?error=access_denied&error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Ainvalid-request%2Finstances%2Feb51a9cf-20f3-4f1f-ab7e-72029c2e5e0d%3Fpersona%3Dprovider%26client%3D5c3039a6-90a1-40b0-9171-74d2a354b163%26tenant%3Dd075cf8b-3261-481d-97e5-ba6c48d3b41f

[Michele Mottini]

The sandbox logins are hard-wired, they are not the same as the logins in the app registration web site

Try Joe_SMART / Cerner01 or Mary_Z  / Cerner01

(Cannot find where they are documented)

  - Michele

  CareEvolution Inc

[Abakash Samal]

That didn't work. The account got cancelled due to too many login attempts. 

[Abakash Samal]

Below is the message I get when I log in with Joe_SMART/Cerner01

Account Locked

Your account has been temporarily locked due to multiple failed login attempts. Please contact a device administrator for further assistance.

Error code: 5

[Abakash Samal]

The other account is not locked yet. Mary_Z  / Cerner01

I don't want to try it more incase it gets locked.

But when I entered the username/pwd I get the message below:

Invalid Username and/or Password. Please try again.

[Kol Kheang]

Abakash,

Is your app a 'provider' or 'patient' facing app?  If it's a provider facing app, we list the username/password on the app's detail page.  Please use that credential to log in.

Also, please fetch the conformance endpoint to discover the authorization URLs, don't hard-code the URLs.

[Abakash Samal]

Hi Kol,

Which is the app's detail page? Is it the index.html? I am using the App's user/pwd obtained for authorization. 

I don't know which user/pwd to use at the "Identity service provider redirect page".

Also conformance endpoint authorization url is NOT hardcoded but retrieved before attempting the authorization code url.

[Abakash Samal]

Also the app is provider. 

Thanks for the help Kol.

[Kol Kheang]

Abakash,

Can you try launching your app from the Code Console/Developer Portal by clicking on "Begin Testing" button?  The username/password to be used at the Millennium+ login page are listed above the "Begin Testing" button in the app's detail page.

[Abakash Samal]

Hi Kol,

When I launch app from portal by clicking on "Begin Testing button", it is trying to load the url below. Is this some problem in the launch.html?

http://localhost:8080/CernerDstu2/launch.html?iss=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca&launch=02a16810-609b-44f7-8d87-361e162566b2

[Abakash Samal]

I got the code for launch.html and index.html from 

http://docs.smarthealthit.org/tutorials/authorization/

I changed the clientId in launch.html to one I got from creating my app.

Also, i am using the conformance metadata url in launch.html as below:

https://fhir-myrecord.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/metadata

Those are the two changes I made to launch.html. Didn't make any changes to index.html

[Kol Kheang]

Abakash,

If your app is a provider app, the correct URL is:

https://fhir-ehr.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/metadata

Notice the difference in the subdomain, fhir-ehr vs fhir-myrecord.

[Abakash Samal]

There is no difference whatever url I use for the conformance metadata.

[Kol Kheang]

Abakash,

What is the error that you're seeing?  What screen you're on?  What is the username/password that you use for the login?  What is the authorization url that you use?  Is it this one from the conformance call? https://authorization.sandboxcerner.com/tenants/d075cf8b-3261-481d-97e5-ba6c48d3b41f/protocols/oauth2/profiles/smart-v1/personas/provider/authorize

[Abakash Samal]

Screen: Begin Testing Button screen, at https://code.cerner.com/developer/smart-on-fhir/apps/104a3a8d-9a19-4226-99d6-b976596fa990

Error: After  "Begin Testing button", nothing happens

         The url that shows is : 

         http://localhost:8080/CernerDstu2/launch.html?iss=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca&launch=30e801e0-e505-4eef-a8c5-ee4956d3d25e

Username/password:

Username: portal

Password: portal

Conformance metadata url: https://fhir-ehr.sandboxcerner.com/dstu2/d075cf8b-3261-481d-97e5-ba6c48d3b41f/metadata

Authorizatoin url is retrieved based on conformance metadata authorize url.

[Kol Kheang]

Abakash,

Do you have a web server running on your computer at http://localhost:8080/CernerDstu2/ to host your application?  That is the only problem that I can think of when you say that nothing happens when clicking on "Begin Testing".  Normally, the application would load.

[Kol Kheang]

We have a smart-on-fhir tutorial that walks you through setting up your first smart app here: http://engineering.cerner.com/smart-on-fhir-tutorial/.  It is easier to get started with this tutorial than what you currently have.

[Abakash Samal]

Yes my application with the launch/index is running on tomcat with the url http:/localhost:8080/CernerDstu2

[Abakash Samal]

I think I figured out the launch error. After fixing that it prompted me to enter user/pwd and went to the index.html code.

There I am getting a 403 error when it tries to retrieve the patient

https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Patient/4342012

[Abakash Samal]

The index.html call is below with the code/state. Is the code a valid one?

http://localhost:8080/CernerDstu2/index.html?code=2aff0bb4-22f9-43d8-b627-8bb0743572ac&state=2717580

[Kol Kheang]

Abakash,

Good to hear that you're getting closer.  The issue that you're seeing is related to scope.  Make sure that you're passing in the scopes (separated by space) that your app is needing access to.  For example, if your app needs access to Patient resource, pass in "patient/Patient.read" scope.  I'm only seeing "launch" scope passed in with your call.

[Kol Kheang]

Also, wildcard scope such as "patient/*.read" is not supported.  Please list individual scope that your app needs e.g. "patient/Patient.read patient/Encounter.read".

[Abakash Samal]

Thanks for your help Kol. I fixed the scopes.

However it only lists information as below without any patient data. Is that how it works?

Patient: Valerie S Smart

[Abakash Samal]

Anyway never mind Kol. Depends on what the application wants to display.

Thanks for all your help.