An implementation issue with /token endpoint for system

[Arvind K]

Hi,

I would like to notify the Cerner dev folks an implementation issue/gap in /token endpoint. The endpoint accepts URIEncoded value in scope parameter for provider type app but fails to accept the value for system type apps. I saw this behavior while making the request for the same. Attaching "Corelation ID": "8eb13ea4-9b8c-499b-93f7-420d3912cbe8" for the request made to /token as system with URIEncoded scope value.

Hope you fix this.

[Jenni Syed (Cerner)]

Thanks for letting us know. When you say "URI Encoded" - can you give an example of the encoded string for scopes? For example, I don't think "+" is supposed to be allowed in an application/x-www-form-urlencoded body (https://tools.ietf.org/html/rfc6749#appendix-B). They also should not be able to be passed in as URL parameters (must be passed in the POST body), though this should be enforced in a consistent manner for both scenarios.

The correlation you provided is complaining about there being no scopes. When I look through logs for this specific client id, I'm seeing calls to both the /token OAuth 2.0 endpoint and the "legacy" OAuth 1.0a endpoint (which should not be used for any SMART/FHIR authentication).

~ Jenni

[Arvind K]

Hi Jenni,

Following is the example for the URI Encoded scopes

"system%2FAppointment.read%20system%2FAppointment.write"

The /token endpoint stopped complaining about empty scopes when I passed the scope as follows:

"system/Appointment.read system/Appointment.write"

Regarding the calls to the "legacy" endpoint, I guess they were made during testing the flow of getting token.