Insufficient Scope

[Jay G]

Hello,

We get 403 Forbidden errors on DiagnosticReport, MedicationOrder, Immunization and Procedure with an 'insufficient scope' error. 

We have all the checkboxes checked under our app in code.cerner.com and we pass all these in the scope:

patient/AllergyIntolerance.read patient/CarePlan.read patient/Condition.read patient/Device.read patient/DiagnosticReport.read patient/DocumentReference.read patient/Binary.read patient/MedicationStatement.read patient/MedicationOrder.read patient/Observation.read patient/Patient.read patient/Procedure.readpatient/Immunization.readpatient/FamilyMemberHistory.read

Do those calls need to be provisioned on the FHIR endpoint server for that tenant id?

Thanks,

Jay

[Max Philips (Cerner)]

Hi Jay,

Per group guidelines, can you provide an X-Request-Id response header to help us investigate?

Thanks,

Max (Cerner)

[Jay G]

Diagnostic Report:  x-amzn-RequestId →fffe78b9-6ab6-11e9-935b-8505a26706f2

Medication Order: x-amzn-RequestId →252c7227-6ab7-11e9-8381-918096be36d9

Immunization: x-amzn-RequestId →3fb88f45-6ab7-11e9-8552-9f1eeb510ec0

Procedure: x-amzn-RequestId →54c0ed73-6ab7-11e9-84ef-55487a53d5c5

[Max Philips (Cerner)]

Hi Jay,

Thanks for the extra information.

It looks like when requesting a token from the authorization server, you are not passing in a space between the patient/Procedure.read and the patient/Immunization.read scopes. (According to what you have written above this might to be the case for the patient/FamilyMemberHistory.read scope too, but that scope looks ok in the logs).

Adding a space there should be a step in the right direction - I'm continuing to investigate why the DiagnosticReport and MedicationOrder requests are also returning 403.

Thanks,

Max (Cerner)

[Scott Rossignol]

Hi Max,

I am running into this issue as well with the MedicationOrder resource. My scope is properly set in my application and my authentication request contains the system/MedicationOrder.read string. All other scopes work properly.

X-request-id: 7bda6da8b15912166a52331b4f44efdd

Thanks,

-Scott Rossignol

[Max Philips (Cerner)]

Hi Scott,

Looks like your client isn't set up to request the "system/MedicationOrder.read" scope, so although you have it present in your authentication request, the authorization server isn't adding it to the tokens it dispenses for you. You should be able to add a system MedicationOrder scope to your client through the Developer Portal. After saving the new configuration, it will take about 10-15 minutes before you can get tokens with the new scope.

Please let me know if you have any further questions.

Thanks,

Max (Cerner)

[Scott Rossignol]

Thanks Max. I added that scope a week ago though, and it's still listed in my developer portal. While troubleshooting today I refreshed my secret ID and secret. I'm wondering if this could be an issue. My Account ID in the system account portal no longer matches my Client ID or App ID in the developer portal (I think it's supposed to match the Client ID?).

System Scopes:

system/AllergyIntolerance.read

system/Binary.read

system/Condition.read

system/Contract.read

system/Device.read

system/DiagnosticReport.read

system/DocumentReference.read

system/Encounter.read

system/Immunization.read

system/MedicationAdministration.read

system/MedicationOrder.read

system/MedicationStatement.read

system/Observation.read

system/Patient.read

system/Procedure.read

-Scott Rossignol

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/7132f985-9971-49d0-a2a9-ee6363adf3db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Max Philips (Cerner)]

Yep, that would be an issue. It should match the client id. You may need to register a new application in the Developer Portal to match the new system account id you are using.

Thanks,

Max (Cerner)