Authorization Problems (Forbidden Error during API call but not physicians API call)

[Bradly Ellkay]

Hi Cerner,

I have some have problems with Authorization.

I got the public sandbox to work and was able to get physicians and patients using API calls.

But when I try a bearer token call thru Authorization, I get a 403 Forbidden Error  

Here how I setup authorization to first:

I encoded64 client:sercet for Basic Authorization

Send API call 

with 

Authorization: Basic {encoded client:sercet}

Body: grant_type=client_credentials&scope=system%2FPatient.read

Accept: application/json
Content-Type: application/x-www-form-urlencoded

 to https://authorization.cerner.com/tenants/mQjCqHb5rkr1u1foU4dqhQPBpi7Qk9R4  /protocols/oauth2/profiles/smart-v1/token

Then I used the access token part of the response as a Bearer token for my next call.

When I use my Bearer Token on my next call I get 403 Forbidden error.

{

    "resourceType": "OperationOutcome",

    "issue": [

        {

            "severity": "error",

            "code": "forbidden",

            "diagnostics": "Tenant [mQjCqHb5rkr1u1foU4dqhQPBpi7Qk9R4] not valid or accessible"

        }

    ]

}

The weird part is:

I am able to access physicians list (/Practitioner?active=true) with bearer token authorization. It gives me a long list of practitioners.

But I cannot access anything else like patient (/Patient/{value}).

Can you help me? 

How can it get facilities list with Authorization but can't get Patient call with the same call? 

Does Patient have to be unlocked? (I sent  grant_type=client_credentials&scope=system%2FPatient.read as GrantType during basic  Authorization)

Thank you,

Brad

[Bradly Ellkay]

Also the 403 forbidden is not the same as a public sandbox Patient not found

{

    "resourceType": "OperationOutcome",

    "issue": [

        {

            "severity": "error",

            "code": "not-found",

            "details": {

                "text": "Resource not found"

            }

        }

    ]

}

I fully believe its not "a patient not found" problem.

I believe its a tenetid mQjCqHb5rkr1u1foU4dqhQPBpi7Qk9R4 is not fully unlock error or Authorization problem. 

[Bradly Ellkay]

Can you help me? (Sorry for the multiple posts. I'm not trying to bump, just trying to give a summarized at the end because last 2 posts didn't give a good conclusion. I wish I could edit)

Summarized:

I can get Practitioner list with Bearer token but can't get Patient or Appointment call responses with the same Bearer token. (Same tenetid, clientid, secret for both) Can you help? 

I get 403 Forbidden Error for Patient or Appointment call responses.

Does Patient have to be unlocked or something similar? (I sent  grant_type=client_credentials&scope=system%2FPatient.read as GrantType during basic Authorization)

Is there an configuration I forget to set to give access to tenetid mQjCqHb5rkr1u1foU4dqhQPBpi7Qk9R4 so I can access patients and other non Practitioner stuff?

[Fenil Desani (Cerner)]

Hello,

Please provide x-request-id/CorrelationID for the failed call.

Thanks,

Fenil