Auth code error

150 views
Skip to first unread message

Ravi Ada

unread,
May 9, 2018, 6:06:13 PM5/9/18
to Cerner FHIR Developers
I am trying to get the oAuth flow working for standalone app for patient workflow.

Here is our app details.

App Info


Client Id: c7256b12-f1f7-4425-a1bf-68ce0ef0f811

App Id: f31117ab-2407-4efb-b333-754bea1649bf

Redirect URI: http://localhost:8084/authorize/fhir/cerner-millennium/callback


App Type: patient

FHIR Spec: dstu2 - "https://fhir-myrecord.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"

Authorized: true


Standard Scopes:

launch

profile

openid

online_access

launch/patient


Patient Scopes:

patient/AllergyIntolerance.read



Here is my authorization URL


https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/patient/authorize?state=KrOe7p&client_id=c7256b12-f1f7-4425-a1bf-68ce0ef0f811&response_type=code&scope=launch/patient%20online_access%20openid%20profile%20patient/AllergyIntolerance.read%20patient/Appointment.read%20patient/Binary.read%20patient/CarePlan.read%20patient/Condition.read%20patient/Contract.read%20patient/Device.read%20patient/DiagnosticReport.read%20patient/DocumentReference.read%20patient/Encounter.read%20patient/Goal.read%20patient/Immunization.read%20patient/MedicationAdministration.read%20patient/MedicationOrder.read%20patient/MedicationStatement.read%20patient/Observation.read%20patient/OperationDefinition.read%20patient/Patient.read%20patient/Person.read%20patient/Practitioner.read%20patient/Procedure.read%20patient/RelatedPerson.read%20patient/Schedule.read%20patient/Slot.read%20patient/StructureDefinition.read%20patient/Appointment.write%20patient/Patient.write&redirect_uri=http://localhost:8084/authorize/fhir/cerner-millennium/callback&aud=https%253A%252F%252Ffhir-myrecord.sandboxcerner.com%252Fdstu2%252F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca



Here is the error I am getting



http://localhost:8084/authorize/fhir/cerner-millennium/callback?state=KrOe7p&error=invalid_request&error_uri=https://authorization.sandboxcerner.com/errors/urn:cerner:error:authorization-server:smart-v1:grant:launch:audience-not-white-listed/instances/2c2a52fe-5cad-4a2a-8964-408b48406e2c?persona=patient&client=c7256b12-f1f7-4425-a1bf-68ce0ef0f811&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca



Even though I did not setup lanuch API, I am getting this error. What else I am missing? Do we need to whitelist our app with sandbox?


Thanks

Ravi Ada

Jenni Syed (Cerner)

unread,
May 10, 2018, 10:36:51 AM5/10/18
to Cerner FHIR Developers
Hi Ravi!

It looks like the URL was double-encoded. EG: I would expect the aud parameter to look like this:

https%3A%2F%2Ffhir-myrecord.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

Regards,
Jenni

Ravi Ada

unread,
May 10, 2018, 1:59:45 PM5/10/18
to Cerner FHIR Developers
Great, thanks, that was it. I was thinking to encode the URL and set it to aud, but my java spring code is encoding it again before sending the request out. Now I set it to un-encoded URL and let spring encode it before sending it. IT works.

However, I noticed that refresh_tokens are not being sent in the response. Is that not enabled in sandbox? How do I get refresh_token?

I am using these scopes.

        "launch/patient offline_access patient/AllergyIntolerance.read patient/Appointment.read patient/Binary.read patient/CarePlan.read patient/Condition.read patient/Contract.read patient/Device.read patient/DiagnosticReport.read patient/DocumentReference.read patient/Encounter.read patient/Goal.read patient/Immunization.read patient/MedicationAdministration.read patient/MedicationOrder.read patient/MedicationStatement.read patient/Observation.read patient/OperationDefinition.read patient/Patient.read patient/Person.read patient/Practitioner.read patient/Procedure.read patient/RelatedPerson.read patient/Schedule.read patient/Slot.read patient/StructureDefinition.read patient/Appointment.write patient/Patient.write"

Here is the token I received.

{
  "access_token": "eyJraWQiOiIyMDE4LTA1LTA5VDE1OjU3OjI4LjQxNy5lYyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJodHRwczpcL1wvYXV0aG9yaXphdGlvbi5zYW5kYm94Y2VybmVyLmNvbVwvIiwiZXhwIjoxNTI1OTc0NDk5LCJpYXQiOjE1MjU5NzM4OTksImp0aSI6IjljMGRhMTdiLTdlNzYtNGIzZC04OGUwLTFhZjc4MzkyZjlkNCIsInVybjpjZXJuZXI6YXV0aG9yaXphdGlvbjpjbGFpbXM6dmVyc2lvbjoxIjp7InZlciI6IjEuMCIsInByb2ZpbGVzIjp7InNtYXJ0LXYxIjp7InBhdGllbnRzIjpbIjQzNDIwMDgiXSwiYXpzIjoibGF1bmNoXC9wYXRpZW50IHBhdGllbnRcL0FsbGVyZ3lJbnRvbGVyYW5jZS5yZWFkIHBhdGllbnRcL0FwcG9pbnRtZW50LnJlYWQgcGF0aWVudFwvQmluYXJ5LnJlYWQgcGF0aWVudFwvQ2FyZVBsYW4ucmVhZCBwYXRpZW50XC9Db25kaXRpb24ucmVhZCBwYXRpZW50XC9Db250cmFjdC5yZWFkIHBhdGllbnRcL0RldmljZS5yZWFkIHBhdGllbnRcL0RpYWdub3N0aWNSZXBvcnQucmVhZCBwYXRpZW50XC9Eb2N1bWVudFJlZmVyZW5jZS5yZWFkIHBhdGllbnRcL0VuY291bnRlci5yZWFkIHBhdGllbnRcL0dvYWwucmVhZCBwYXRpZW50XC9JbW11bml6YXRpb24ucmVhZCBwYXRpZW50XC9NZWRpY2F0aW9uQWRtaW5pc3RyYXRpb24ucmVhZCBwYXRpZW50XC9NZWRpY2F0aW9uT3JkZXIucmVhZCBwYXRpZW50XC9NZWRpY2F0aW9uU3RhdGVtZW50LnJlYWQgcGF0aWVudFwvT2JzZXJ2YXRpb24ucmVhZCBwYXRpZW50XC9QYXRpZW50LnJlYWQgcGF0aWVudFwvUGVyc29uLnJlYWQgcGF0aWVudFwvUHJhY3RpdGlvbmVyLnJlYWQgcGF0aWVudFwvUHJvY2VkdXJlLnJlYWQgcGF0aWVudFwvUmVsYXRlZFBlcnNvbi5yZWFkIHBhdGllbnRcL1NjaGVkdWxlLnJlYWQgcGF0aWVudFwvU2xvdC5yZWFkIHBhdGllbnRcL0FwcG9pbnRtZW50LndyaXRlIn19LCJjbGllbnQiOnsibmFtZSI6Ik1lZGxpbyBNb2JpbGUgQXBwIiwiaWQiOiJjNzI1NmIxMi1mMWY3LTQ0MjUtYTFiZi02OGNlMGVmMGY4MTEifSwidXNlciI6eyJwcmluY2lwYWwiOiJMUTRTZzNEMjhCUiIsInBlcnNvbmEiOiJwYXRpZW50IiwiaWRzcCI6IjY4N2YyOWRkLTY5ZGQtNGRlNS1hY2IxLWZkOGEyMjQxZWYzYSIsInByaW5jaXBhbFVyaSI6InVybjpjZXJuZXI6aWRlbnRpdHktZmVkZXJhdGlvbjpyZWFsbTo2ODdmMjlkZC02OWRkLTRkZTUtYWNiMS1mZDhhMjI0MWVmM2E6cHJpbmNpcGFsOkxRNFNnM0QyOEJSIiwiaWRzcFVyaSI6Imh0dHBzOlwvXC9zYW5kYm94Y2VybmVyaGVhbHRoLmNvbVwvc2FtbFwvcmVhbG1zXC82ODdmMjlkZC02OWRkLTRkZTUtYWNiMS1mZDhhMjI0MWVmM2FcL21ldGFkYXRhIn0sInRlbmFudCI6IjBiOGEwMTExLWU4ZTYtNGMyNi1hOTFjLTUwNjljYmM2YjFjYSJ9fQ.V41MJijr121VLe7Jlm2tv7VPUEJ7LZGmjmcmO3ipSDv_hHIsqaftHfwo60oiZcpoLu9mxHoJw4vOeGLEW0sGNQ",
  "patient": "4342008",
  "scope": "launch/patient patient/AllergyIntolerance.read patient/Appointment.read patient/Binary.read patient/CarePlan.read patient/Condition.read patient/Contract.read patient/Device.read patient/DiagnosticReport.read patient/DocumentReference.read patient/Encounter.read patient/Goal.read patient/Immunization.read patient/MedicationAdministration.read patient/MedicationOrder.read patient/MedicationStatement.read patient/Observation.read patient/Patient.read patient/Person.read patient/Practitioner.read patient/Procedure.read patient/RelatedPerson.read patient/Schedule.read patient/Slot.read patient/Appointment.write",
  "token_type": "Bearer",
  "expires_in": 570
}

Thanks
Ravi Ada

Jenni Syed (Cerner)

unread,
May 14, 2018, 12:50:32 PM5/14/18
to Cerner FHIR Developers
It looks like the app doesn't have the offline_access scope, based on the response from the authorization server. This scope is required in order to use refresh tokens in offline_access mode, which also requires a confidential application.

Read more on how to set this up here: https://fhir.cerner.com/authorization/#registration (you'll have to request some credentials for the app first, before registering in the code console).

~ Jenni

Reply all
Reply to author
Forward
0 new messages