Skip to first unread message
Stanton
Nov 20, 2018, 3:55:04 PM11/20/18
to Cerner FHIR Developers
- Issue Summary: I have requested a SYSTEM account for our BUILD domain and I'm not sure how to use it. When I Test the secret after logging in, it lists an Access Token URL https://api.sandboxcernercare.com/oauth/access with Consumer Key and Consumer Secret and the result being an Oauth Access Token with an example request in CURL. Am I supposed to use this same GET request to get the Oauth Token and then how to do I use the token in a FHIR call? Do I just use that value as is in an Authorization header? Or, do I parse out the values from the response such as the HMACSecrets, RSASHA1 value, etc and then use those in the FHIR call? Any example you can give in CURL would be helpful for the FHIR call.
- X-Request-Id or CorrelationId: (from Response or Error Message) None
Jenni Syed (Cerner)
Nov 20, 2018, 5:04:38 PM11/20/18
to Cerner FHIR Developers
Hi,
After getting that system account, you'll still need to register the application in our code portal: https://fhir.cerner.com/authorization/#registration
You'll use the id from that system account in the "GUID" field when you register as a "system" type application.
B2B/System access uses the OAuth2 client credentials grant type. You can see examples of this call here: https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system
If you're attempting to use this account/app in your own internal build domain and not against our public sandbox, follow instructions on this document to log an eService request to get it whitelisted in your domain (once you've registered it in our code portal): https://connect.ucern.com/docs/DOC-682161
There is also more information for client developers of SMART or FHIR apps on an internal group on uCern here: https://connect.ucern.com/groups/ignite-apis-community
Thanks,
Jenni
Stanton
Nov 21, 2018, 12:28:42 PM11/21/18
to cerner-fhir...@googlegroups.com
Hi Jenni,
Thanks for your response. I registered the application on code.cerner.com and specified a Redirect URL to point to the server I know is already white-listed because it hosts an existing SMART on FHIR app that I created. Although I didn't think this was a requirement because I thought using SYSTEM access meant the code would be able to run as a background task and not have to be launched from the the context of a web app. Ideally, we want to use this SYSTEM access so that we can request FHIR resources via our own API from the server code.
I registered the app and per your suggestion, I used the Account ID for the GUID field when registering the application. Looking at the example, mentioned on:
What is used for the username/password for the Basic Authentication? Do I use the Consumer Key and Consume Secret for the username/password for the Basic auth or do I use my own username/password?
Also, regarding that example - it uses the URL
I'm to change out the tenant ID with out tenant ID, correct? I tried that in Postman and got an error of 401 Unauthorized and error invalid client:
{
"error": "invalid_client",
}
Thanks,
Stanton
--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/7Bsxd1zq49w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/2f33f308-a111-42d3-9dcd-301eaadf5126%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jenni Syed (Cerner)
Nov 21, 2018, 1:24:37 PM11/21/18
to Cerner FHIR Developers
What is used for the username/password for the Basic Authentication? Do I use the Consumer Key and Consume Secret for the username/password for the Basic auth or do I use my own username/password?
You use the oauth client id (equivalent to the consumer key if looking at system accounts) and the secret as user/pass.
Also, regarding that example - it uses the URLI'm to change out the tenant ID with out tenant ID, correct? I tried that in Postman and got an error of 401 Unauthorized and error invalid client:
I recommend starting in sandbox first, to make sure you're able to authenticate/it works (before trying it in another domain).
Before it will work in your internal domain, you'll need to log the eService request as described on the uCern document I included in the last response.
Regards,
Jenni
Stanton
Nov 21, 2018, 2:52:26 PM11/21/18
to cerner-fhir...@googlegroups.com
Thank you Jenni. Taking your suggestion, I tried using the system account to access just the Sandbox.
Putting in Postman exactly as the example suggested with the Basic Auth set to my Consumer Key and Secret, I still get an unauthorized_client message:
{
"error": "unauthorized_client",
}
But when I try configuring Postman to use exactly the same GET as when I click on Test for the System account located at
It uses a different request which does work:
"GET /oauth/access?oauth_consumer_key=<my_consumer_key>&oauth_signature_method=PLAINTEXT&oauth_timestamp=1542829586&oauth_nonce=1830681849776678&oauth_version=1.0&oauth_signature=<my_consumer_secret>%26 HTTP/1.1[\r][\n]
"X-NewRelic-ID: VQEFUFJWCRAJUFBTDwgCXw==[\r][\n] "X-NewRelic-Transaction: PxRRWFFRCQIDVQBTBFIDBVECFB8EBw8RVU4aBAEPBgMCVggAAFJQVgcDBENKQQwFCQcAWw8DFTs=[\r][\n] "Host: api.sandboxcernercare.com[\r][\n] "Connection: Keep-Alive[\r][\n] "[\r][\n]
I get back the Oauth Token response (values removes for security):
oauth_token=ConsumerKey=<my_consumer_key>&ExpiresOn=1542833186&HMACSecrets=<my_hmacSecrets>&KeysVersion=e5aa6e82-b9e5-4b36-9d61-f633380662f3&RSASHA1=<my_rsasha1>
Is the Test just something that's meant for just this UI for testing and not meant for us to use in practice? Or is it the correct way to get the Oauth token and the documentation is incorrect?
Thanks,
Stanton
--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/7Bsxd1zq49w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/9372f9a8-04f9-4bff-9203-f0aebf465ec4%40googlegroups.com.
Jenni Syed (Cerner)
Nov 21, 2018, 3:38:04 PM11/21/18
to Cerner FHIR Developers
Are you base64 encoding the id and secret? Including the colon between the two values?
If you click the error above, you'll see that the code listed states that there are empty scopes - did you include the scopes parameter in the body of the request? (note: there are other parameters that need to be included as well)
The other tester is for an OAuth 1.0 workflow, which is not what FHIR uses. FHIR uses an OAuth 2 workflow and the way you get tokens between those two specifications is very different.
Thanks,
Jenni
Stanton
Nov 21, 2018, 5:09:41 PM11/21/18
to cerner-fhir...@googlegroups.com
Thanks Jenni! That was the clue - apparently in my scope I had a typo (instead of Observation I had "Observaition". I get an access token back now and using that bearer token I am able to request resources from the sandbox. Hooray!
So now I'll but in a eService Request to request a System account access for our build environment.
Thanks for all your help and Happy Thanksgiving,
Stanton
--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/7Bsxd1zq49w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/2b9fa49a-94bf-45d4-9de0-efe7f405ad2d%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages