Contextless flow - launch scope and code

[Charles Keenan]

Hi Cerner team,

I am currently testing my SMART on FHIR app in both an EHR Launch flow and a contextless flow.

When I test an EHR Launch flow out of the Cerner code console, the flow is successful and my authorization code request looks like this:

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?aud=https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d&aud=https%3A%2F%2Ffhir-ehr-code.cerner.com%2Fr4%2Fec2458f2-1e24-41c8-b71b-0e701af7583d&client_id=b7374dab-3161-49da-8bbd-0eb5b268b525&launch=fc334eb7-3388-441c-a998-7b7f22617cf0&redirect_uri=https%3A%2F%2Fcerner-fhir.demo.phenotips.com%2Fredirect_uri&nonce=7bb8014c8b84d1aabeb1bd1baab41074&scope=launch%20patient%2FObservation.read%20patient%2FPatient.read%20openid%20fhirUser%20profile%20online_access%20user%2FPatient.read%20user%2FPractitioner.read&state=2f2e28af6caffdb14f22dc61360f8693&response_type=code

However, when I attempt a contextless flow (make a direct request to Cerner's authorization endpoint with no launch parameter or iss parameter), I get a "Launch Code Required" error. Here's the authorization code request:

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?aud=https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d&client_id=b7374dab-3161-49da-8bbd-0eb5b268b525&redirect_uri=https%3A%2F%2Fcerner-fhir.demo.phenotips.com%2Fredirect_uri&nonce=41912d3d16c8b148d01fec61ae415b5f&scope=launch%20patient%2FObservation.read%20patient%2FPatient.read%20openid%20fhirUser%20profile%20online_access%20user%2FPatient.read%20user%2FPractitioner.read&state=6170e02b99b1c8b4b75dfed772dd0ac0&response_type=code

I have reviewed your authorization documentation (http://fhir.cerner.com/authorization/), and tried to follow the example where the "launch" scope is removed and an empty launch parameter is provided in the authorization code request, but that doesn't seem to work either.

What is the proper combination of scope values and launch parameter value needed in the authorization code request for contextless flows?

Thanks for your time.

Charles

[Aaron McGinn (Oracle Cerner)]

You can find more information about this standalone workflow and requirements on the HL7 SMART app launch page [1] or Oracle Cerner's authorization specification page [2].

[1] https://hl7.org/fhir/smart-app-launch/2021May/#standalone-launch-sequence

[2] https://fhir.cerner.com/authorization/authorization-specification/#contextless-flow

-Aaron (Oracle Cerner)

[Charles Keenan]

Aaron,

Thanks for the resources, but I reviewed them and still couldn't find any troubleshooting suggestion for my issue. Could you tell me if Cerner's authorization endpoint expects launch scopes and launch parameters in a contextless authorization code request, and what might their values be?

[Aaron McGinn (Oracle Cerner)]

This HL7 page [1] provides a bit more detail on how to obtain the patient. Our Authorization page [2] explains the necessary information for this workflow. HL7 also provides a more detailed example [3].

In order to look into your specific failure calls, can you provide the Cerner-Correlation-Id from the response headers?

[1] https://hl7.org/fhir/smart-app-launch/2021May/scopes-and-launch-context.html#standalone-apps

[2] https://fhir.cerner.com/authorization/#construct-the-authorization-request-url

[3] https://hl7.org/fhir/smart-app-launch/2021May/index.html#for-example-2

-Aaron (Oracle Cerner)

[Charles Keenan]

Aaron,

In this case, i'm not looking to obtain any patient or encounter context. I have read the documentation you provided in link [2], and I understand that the launch parameter is optional. However, when I don't provide the launch parameter, I get a "launch parameter required" error. Can you look at my request (Cerner-Correlation-Id 50affea6-c099-4204-9f78-e79a22d76e4c) and tell me what is wrong?

Charles

[Aaron McGinn (Oracle Cerner)]

The launch code is required for external launches. I agree that the documentation may be misleading on that statement/bullet! Do you get the same error when you provide that parameter?

-Aaron (Oracle Cerner)

[Charles Keenan]

Aaron,

My apologies, but I think I may have sent you a private response earlier this afternoon instead of posting my response publicly. If I am correct, please feel free to copy and paste my private response in your next response to this public thread.

Charles

[Aaron McGinn (Oracle Cerner)]

I don't see anything from you, but that doesn't mean the email servers aren't holding it hostage temporarily!

-Aaron (Oracle Cerner)

[Charles Keenan]

Aaron,

Okay. I'll post my message publicly this time:

What do you mean by an external launch? Do you mean a contextual launch out of PowerChart or a launch by a standalone app? If it's the latter, I don't understand why the launch code would be required, because standalone app launches are not seeking patient or encounter context. 

I want to reiterate that I am trying to perform a standalone app launch, and I don't want any context from the token endpoint response. For this use case, should "launch" be included as a scope? Should an empty "launch" parameter be added to the authorization code request?

Additionally, for what it's worth, when I make up a launch code (launch=123abc) and append it to the authorization code request, I get an "invalid launch code" error (Cerner-Correlation-Id 87a2315e-e1e6-475e-93c8-e81dffd949bf).

Charles

[Charles Keenan]

Hi Aaron,

Just following up on this thread so it doesn't get lost throughout the holidays. Hope you're enjoying your holidays!

Charles

[Charles Keenan]

Hey Aaron,

Following up on this thread with a nudge!

Best,

Charles