Practitioner FHIR User Insufficient_Scope

145 views
Skip to first unread message
Assigned to aaron....@oracle.com by me

Aditya Ayyagari

unread,
Apr 5, 2021, 12:16:54 PM4/5/21
to Cerner FHIR Developers
We have registered a Sandbox App as below

Client Id: ec1ec9ab-05e5-4e12-b6c1-357cec375ceb
App Id: 654a485f-7e7e-4390-b709-8966654c0b24
SMART Launch URI: https://localhost:44304/SmartClient/
Redirect URI: https://localhost:44304/SMARTArchive/APPID/
App Type: provider
FHIR Spec: dstu2 - "https://fhir-ehr-code.cerner.com/dstu2/ec2458f2-1e24-41c8-b71b-0e701af7583d"
Authorized: true
Standard Scopes: launch profile fhirUser openid online_access
Patient Scopes: patient/Patient.read
User Scopes: user/Patient.read user/Person.read user/Practitioner.read

As you can see,  it is a provider app, and it has Practioner.read scope.  
It lauches our SMART app without any issues, we are also being given the token response well and trying to get the user information using access token but it resulted in the insufficient_scope error when trying to access the user ID url 


{
    "resourceType": "OperationOutcome",
    "issue": [
        {
            "severity": "error",
            "code": "forbidden",
            "diagnostics": "Bearer realm=\"fhir-ehr-code.cerner.com\", error=\"insufficient_scope\"",
            "location": [
                "http.Authorization"
            ]
        }
    ]
}

How to fix this error.





Aaron McGinn (Cerner)

unread,
Apr 5, 2021, 1:47:45 PM4/5/21
to Cerner FHIR Developers
Per our group guidelines, can you provide the X-Request-Id from the response headers?

-Aaron (Cerner)

Aditya Ayyagari

unread,
Apr 5, 2021, 2:22:57 PM4/5/21
to Cerner FHIR Developers
here is the x-request-Id from the response headers 

d0e2e3b2-bb05-467d-b1e2-52632e856aed

Aditya Ayyagari

unread,
Apr 5, 2021, 6:14:03 PM4/5/21
to Cerner FHIR Developers
Hope you have an answer to this issue. 

Aaron McGinn (Cerner)

unread,
Apr 5, 2021, 6:28:06 PM4/5/21
to Cerner FHIR Developers
In the scopes you provided, you have "user%2F%20Practitioner.read" or "user/ Practitioner.read", so that will be read as two separate scopes. This means you were not authorized for "user/Practitioner.read".

-Aaron (Cerner)

Aditya Ayyagari

unread,
Apr 6, 2021, 11:41:23 AM4/6/21
to Cerner FHIR Developers
Thank you and it works now.  Do we get the email address of the Practitioner as part of the Resource field data.? 

Aaron McGinn (Cerner)

unread,
Apr 6, 2021, 1:33:19 PM4/6/21
to Cerner FHIR Developers
The email address will return as part of the telecom attribute [1].


-Aaron (Cerner)

Aditya Ayyagari

unread,
Apr 6, 2021, 2:37:03 PM4/6/21
to Cerner FHIR Developers
Practitioner.telecom is missing for portal user.  In the production, they would have the data to repond back to this field?

Aaron McGinn (Cerner)

unread,
Apr 6, 2021, 4:08:43 PM4/6/21
to Cerner FHIR Developers
For an example, Kristin Carter has an email: /Practitioner/11817978

-Aaron (Cerner)
Reply all
Reply to author
Forward
0 new messages