Help getting authorization token

[Ian Wesley]

Hi,

I am able to access to the open sandbox, however I'm having issues with getting an auth token to access the secured sandbox.  I've tried using SoapUI and Postman and am getting issues in both.

My parameters are:

Auth URI: https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize

Access Token URI: https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token

Scope: patient/Observation.read

Redirect URI is: http://localhost/callback (SoapUI) or https://www.getpostman.com/oauth2/callback (Postman) 

Postman is just failing to load anything on the authorization request.  SoapUI is giving an error "The page could not be loaded"

The URI seems to be correct because when I switch between apps I get a Redirect URI failure:  

Error Code

urn:cerner:error:authorization-server:oauth2:grant:invalid-redirect-uri

Correlation ID 

9cc1ec2b-0a7c-4f1e-ac43-95e66bc0894e

However, when the Redirect URI is correct I'm getting the behavior described above.

Appreciate some help here.

Thanks,

Ian

[Jenni Syed (Cerner)]

Ian,

Are you saying the tools you're using are having errors, or the responses returned to you have errors when you use these tools? At first glance, you should be getting an error from the authorization server, since the only scope listed below is "patient/Observation.read" and there is no "launch" scope which would allow the SMART context to pass on. SMART is required for any patient/* scope, since there must be a patient in context when authorizing.

~ Jenni

[Jenni Syed (Cerner)]

Ian,

Do you have the correlation ids for the responses you're receiving that have issues? The authorization server usually either displays the error to the user or returns one to the app, depending on what's wrong.

~ Jenni

[Jenni Syed (Cerner)]

Using the correlation above, I just looked at all authorization requests coming in for that client id.

Most have errors returned, and the error varies:

• Some requests are asking for user/* - which is a scope we don't support: http://fhir.cerner.com/authorization/#supported-scopes (the error being returned is grant denied by server)
  
• Some coming from postman are requesting token_type=bearer and either no response_type (which should be set to code) or an invalid response type. Here's an example of some correct authorize URLs: http://fhir.cerner.com/authorization/#examples (unsupported grant error was returned)
• Note: you should be able to manually build your authorize URL and just paste it into a browser window. It doesn't require curl, since that step requires user interaction and happens via redirects. Just make sure you url encode/escape the parameter values.
• Some calls are trying to PUT or POST instead of GET the authorization endpoint (that endpoint will issue a redirect - postman or SoapUI must follow that redirect and show you a login page). Error returned here varies based on what was in the body - mostly a 406 response
• Some of the original calls were using the wrong URL (the app should always discover this from the metadata endpoint) - this would have returned a 404

I will say, that unless you're trying to just watch how OAuth works (and it sounds like Postman and SoapUI may not be giving you much access to watch that flow?), I'm not sure you'll get much benefit from using the secure endpoint via postman. It won't be able to follow the full flow required for an app (eg: discovering the OAuth endpoints from metadata).

~ Jenni

[Ian Wesley]

Jenni,

The errors in your bullets 2-4 are really just me trying different things to get it to work.  I have tried user/MedicationHistory.read as well as a number of different scopes and am still running into issues.  The primary reason I would like to be able to authenticate is that I want to test the ability to write data back into the sandbox.  Writing medication data is a key requirement for our software and that appear to be something you support.  

Thanks,

Ian

[Jenni Syed (Cerner)]

Hi Ian,

Since the app doesn't seem to get past the authorization step yet (I assume you haven't gotten a prompt for credentials?), I would start by just trying to build a URL and pasting it into the browser so you can do some trial/error based on the examples above (you would use your client_id, redirect URL, and scopes instead of the ones in the example).

~ Jenni