Facing issues while Implementing the SMART ON FHIR via Cerner

Skip to first unread message
Assigned to Fenil....@cerner.com by me

Rajesh Kumar

Sep 21, 2021, 12:35:49 PMSep 21
to Cerner FHIR Developers
Hi Team,

Facing the below issues while implementing the SMART ON FHIR using Cerner in my  Rest Controllers:

So any help in this regard will be highly appreciable.

Rajesh Kumar

Fenil Desani (Cerner)

Sep 22, 2021, 1:04:02 AMSep 22
to Cerner FHIR Developers

Why would you be passing context params for a provider App? Would your App be standalone or embedded with Cerner?
State param needs to be provided by the App during launch and will be returned after successful auth.
Aud param generally should be discovered from iss param returned from the launch.


Rajesh Kumar

Sep 22, 2021, 5:48:18 AMSep 22
to Cerner FHIR Developers
Hi Fenil,

Thank you so much for your response.

Our App is  EHR launch sequence http://hl7.org/fhir/smart-app-launch/1.0.0/#ehr-launch-sequence & we are implementing it at the Backend level.

1. Queries on aud params:
For constructing the URL for redirect, previously I was not able to get the authorize code i.e. 'code' params whie redirecting it to /ready as a result I was getting the below error:

Post adding the 'aud':'https://fhir-ehr-code.cerner.com/dstu2/ec2458f2-1e24-41c8-b71b-0e701af7583d' to the redirect-url resolves our issue & now I'm able to generate the token as below:

Can we hard-code the 'aud' param while constructing it in the redirect-url based on the below documentation? Is this a expected behavior?

2. Queries on 'state' param:

  • Currently My App is working fine with 'state' params as empty or with some hardcoded string value for example:
  •  In case if I want to restore the original 'state' param value, currently my function is not able to generate the 'state' params.
    As per the http://www.hl7.org/fhir/smart-app-launch/   doc the authorization server includes this 'state' value when redirecting the user-agent back to the client in my case 'state' is not getting included by the authorization server.

  • Is this fine to have a state params as empty or hardcode with some string value??

Can you please provide your comments on my above queries.

Please feel free to ask further questions.

Rajesh Kumar

Fenil Desani (Cerner)

Sep 22, 2021, 10:13:26 AMSep 22
to Cerner FHIR Developers
If the App is launched from within Cerner's chart, on your launch URL you would get back launch code and iss param. The iss param would be the aud param and we hope you fetch it dynamically.
In case your App is not launched from within Cerner or you don't get the iss value, yes you can hardcode the value.

state - An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHALL be used for preventing cross-site request forgery or session fixation attacks. The app SHALL use an unpredictable value for the state parameter with at least 122 bits of entropy (e.g., a properly configured random uuid is suitable). The app SHALL validate the value of the state parameter upon return to the redirect URL and SHALL ensure that the state value is securely tied to the user’s current session (e.g., by relating the state value to a session identifier issued by the app). The value of state param will be returned by the Auth Server on callback
Reply all
Reply to author
0 new messages