Sandbox Access issue with Token

273 views
Skip to first unread message
Assigned to Fenil....@cerner.com by me

Mansoor Ghazizadeh

unread,
Apr 26, 2022, 4:04:10 PM4/26/22
to Cerner FHIR Developers

Hi,

We are just starting to implement our app interface to Millennium.

We have registered  and have a Standard account with our Account ID, and genrated Token.

We are trying to access sandbox and are getting the following error.

What are we doing wrong?

Thanks,


var request = require('request');
var headers = {
    Accept: 'application/json+fhir',
    Authorization: "TOKEN",
};

var options = {
    url: url,
    method: 'GET',
    headers: headers,
};
request(options, function(error, response, body) {
    if (!error && (response.statusCode == 200 || response.statusCode == 201)) {
        console.log("search successfully")
        console.log(body)
    }else{
        console.log("search Error")
        console.log(response.statusCode)
        console.log(body)
    }
}); ----------------------------------------------- 
Error Message: response status: 401
{“resourceType”:“OperationOutcome”,“issue”:[{“severity”:“error”,“code”:“login”,“diagnostics”:“Bearer realm=\“fhir-ehr-code.cerner.com\“”,“expression”:[“http.Authorization”]}]}







Fenil Desani (Cerner)

unread,
Apr 27, 2022, 10:39:10 AM4/27/22
to Cerner FHIR Developers
Hello,

Can you please provide X-Request-ID/CorrelationID from the response header of the failed request?

Thanks,
Fenil

Cong Chen

unread,
Apr 27, 2022, 12:21:21 PM4/27/22
to Cerner FHIR Developers

Hello, the response headers is as below:


{

  'content-type': 'application/fhir+json',

  'content-length': '175',

  connection: 'close',

  date: 'Wed, 27 Apr 2022 16:13:25 GMT',

  'x-request-id': '3724a13f-26dd-473a-91df-a2656deb6804',

  'access-control-allow-origin': '*',

  'access-control-expose-headers': 'WWW-Authenticate, X-Request-Id',

  'www-authenticate': 'Bearer realm="fhir-ehr-code.cerner.com"',

  'x-cache': 'Error from cloudfront',

  via: '1.1 1bfde73e7d02732154f58c7e03609d08.cloudfront.net (CloudFront)',

  'x-amz-cf-pop': 'HIO50-C2',

  'x-amz-cf-id': '8WrTpgWT2-EU68c7oq2IgU5xj8vHQIkzm60UxSzvY1cd6Zwv6VXOlg=='

Fenil Desani (Cerner)

unread,
Apr 28, 2022, 10:56:56 AM4/28/22
to Cerner FHIR Developers
Couple of things: 
The current error: The value for the Authorization header is not a Bearer token or a Bearer token was not provided.
Also, looks like your are making the API call incorrectly. The FHIR Base URL for our public Sandbox is https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d and not https://fhir-ehr-code.cerner.com/r4/238dbc04-124c-42aa-aa52-72b8851843bf

Cong Chen

unread,
Apr 28, 2022, 2:44:57 PM4/28/22
to Cerner FHIR Developers
I changed FHIR Base URL with https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d. and still have error on access patient endpoint.

For the Authorization Value, I tried three ways for it.

1. Using the Bearer Token in the Secrets from a System Accounts.
Response header:

{

  'content-type': 'application/fhir+json',

  'content-length': '175',

  connection: 'close',

  date: 'Thu, 28 Apr 2022 18:08:15 GMT',

  'x-request-id': 'd43f1475-3c59-4a7e-bdea-e7711306a8f7',

  'access-control-allow-origin': '*',

  'access-control-expose-headers': 'WWW-Authenticate, X-Request-Id',

  'www-authenticate': 'Bearer realm="fhir-ehr-code.cerner.com"',

  'x-cache': 'Error from cloudfront',

  via: '1.1 078213358ed22cd95c76373c4ed65b5a.cloudfront.net (CloudFront)',

  'x-amz-cf-pop': 'HIO50-C2',

  'x-amz-cf-id': 'YM_05VPX_G9VGMCOs1khPbRKa1vlcrixw2ybwN191mB9UDDuRtSOQA=='

}


2. Using the Account ID from System Accounts.  do Base64 encode "Account ID:secret" => "xxxxxxxxxxxx", then apply header Authorization: Basic xxxxxxxxxxxx. 
Response header:

{

  'content-type': 'application/fhir+json',

  'content-length': '175',

  connection: 'close',

  date: 'Thu, 28 Apr 2022 18:05:54 GMT',

  'x-request-id': '6a397930-9486-4a14-b246-a0ad37190ea5',

  'access-control-allow-origin': '*',

  'access-control-expose-headers': 'WWW-Authenticate, X-Request-Id',

  'www-authenticate': 'Bearer realm="fhir-ehr-code.cerner.com"',

  'x-cache': 'Error from cloudfront',

  via: '1.1 38e44b0b4251fbfb70eb0f304e9558fa.cloudfront.net (CloudFront)',

  'x-amz-cf-pop': 'HIO50-C2',

  'x-amz-cf-id': 'izNxHei6qAzE2KHRFwtt7iviWqttMzk7F2u2U3KjRDRfLLkSzAArDQ=='

}


3. Using the Client ID from the App created in Cerner Code Console.  do Base64 encode "Client ID:secret" => "YYYYYYYYYY", then apply header Authorization: Basic YYYYYYYYYY.

{

  'content-type': 'application/fhir+json',

  'content-length': '175',

  connection: 'close',

  date: 'Thu, 28 Apr 2022 18:41:47 GMT',

  'x-request-id': '1873fc39-77b0-4676-83f6-6581d809a8d9',

  'access-control-allow-origin': '*',

  'access-control-expose-headers': 'WWW-Authenticate, X-Request-Id',

  'www-authenticate': 'Bearer realm="fhir-ehr-code.cerner.com"',

  'x-cache': 'Error from cloudfront',

  via: '1.1 925a9355525ad52853e1025fe231bef8.cloudfront.net (CloudFront)',

  'x-amz-cf-pop': 'HIO50-C2',

  'x-amz-cf-id': 'J0l9gBlk8uTiasBFJJVq1D82soC3n_7XwuXmOnW7u5Mh4PnFRbz-Ew=='

}


Note: the way to do the Base64 encode for Authorization referred to: https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system


Fenil Desani (Cerner)

unread,
Apr 29, 2022, 10:24:33 AM4/29/22
to Cerner FHIR Developers
First you need to make a call to Authorization server to get a Bearer Token.
Once you have the token, you can use it to call FHIR APIs.

Also, what type of App have you registered? Is it a Patient, System, or Provider App?
What is your System Account ID and client ID?

Thanks,
Fenil

Cong Chen

unread,
Apr 29, 2022, 11:39:29 AM4/29/22
to Cerner FHIR Developers
Can please you give me an example of calling the Authorization server to get a Bearer Token?

We registered the Provider App, and the System Account ID is 238dbc04-124c-42aa-aa52-72b8851843bf, the App Client ID is ffc19e5f-7129-4419-a7c2-4c7dea0a0d9a.

Thanks,
Cong

Fenil Desani (Cerner)

unread,
Apr 29, 2022, 11:53:34 AM4/29/22
to Cerner FHIR Developers
If you have a public provider App, you don't need to use client credentials workflow.

Mansoor Ghazizadeh

unread,
May 26, 2022, 6:55:38 PM5/26/22
to Cerner FHIR Developers
The request authorization request is not clear to us.  Can you provide a Nodejs example if you have it?
We have been able to use the Patient API to get a patient and trying to send a document to the patient records using a DocumentReference we need to use a public closed endpoint which needed authentication and there we are stock due to the fact that we were not have the Bearer code.
Please help with the front end authorization request.

Fenil Desani (Cerner)

unread,
May 27, 2022, 10:07:47 AM5/27/22
to Cerner FHIR Developers
Yes, as I mentioned, since yours is a Provider App with ClientID: ffc19e5f-7129-4419-a7c2-4c7dea0a0d9a
You need to perform the SMART on FHIR OAuth2 handshake as per http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-user

Open Source FHIR Client Libraries

To start development quickly, there is an open source fhir-client JavaScript library that takes care of the OAuth2 handshake and provides a built-in library to call FHIR resources. The library is usable but has several known issues in previous versions. One particular issue is around the usage of the sessionStorage property. Cerner requires that you upgrade the library to version v0.1.10 or higher to correct a known patient safety issue. You also must download and include this additional code into your project to correct this issue.

Other additional FHIR clients are available:

You can also refer to our tutorial - https://engineering.cerner.com/smart-on-fhir-tutorial/ 

Thanks,
Fenil

Cong Chen

unread,
May 27, 2022, 9:05:42 PM5/27/22
to Cerner FHIR Developers
Base on the Discovering Authorization URLs, we get:
"security": {
        "extension": [
          {
            "extension": [
              {
                "valueUri": "https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token",
                "url": "token"
              },
              {
                "valueUri": "https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize",
                "url": "authorize"
              },
              {
                "valueUri": "https://authorization.cerner.com/tokeninfo",
                "url": "introspect"
              }
            ],
            "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris"
          }
        ],

Then, we do Construct the Authorization Request URL like bellow:

But the query response is:
<!doctype html><html lang="en"><head><title>HTTP Status 406 – Not Acceptable</title><style
      type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
      Status 406 – Not Acceptable</h1></body></html>


Thank you,
Cong
Reply all
Reply to author
Forward
0 new messages