I am getting access denied in authorization request for my provider facing app.

817 views
Skip to first unread message

eduardh...@gmail.com

unread,
Aug 16, 2017, 4:03:48 AM8/16/17
to Cerner FHIR Developers
Hi All,
I am starting the development of mobile application - provider facing app in Cerner sandbox Developer portal.

following authorization request.

btw, I am getting access denied in the redirect:

let me know how to solve this problem.
Thanks in advance for any help.

PS. here are my app info in Cerner sandbox Developer portal.

App Info


Client Id: 80c16a4d-10a3-47bd-9eba-07c3aebc25ae

App Id: c27eb903-1a32-4588-a02b-2d71d04b23c6

SMART Launch URI: http://localhost:8100/

Redirect URI: http://localhost:8100/


App Type: provider

FHIR Spec: dstu2 - "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"

Authorized: true


Standard Scopes:

launch

profile

openid

online_access


Patient Scopes:

patient/Observation.read

patient/Patient.read

Jenni Syed (Cerner)

unread,
Aug 16, 2017, 10:09:45 AM8/16/17
to Cerner FHIR Developers
Hi,

If you look at the error returned from the server, it gives an error URI. If you visit that URI, it will give you a correlation id that  we can use to track down the error (no need to post all your application info - we can look this up using the correlation id):

"http://localhost:8100/?error=access_denied&error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Amissing-patient%2Finstances%2F047e9272-6dcb-4fa8-8ecb-426a81f671a4%3Fpersona%3Dprovider%26client%3D80c16a4d-10a3-47bd-9eba-07c3aebc25ae%26tenant%3D0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"

It's stating that you're requesting patient/... scopes but the app sent no patient context to the authorization server. Your application needs to send the iss (as aud parameter to the auth server) and launch parameter that is sent to the app during launch in order to establish a patient context.

Example here: http://fhir.cerner.com/authorization/#examples (you'll want to look at the one with a launch context, though make sure you use the authorization URL you discover from the FHIR endpoint)

~ Jenni

eduardh...@gmail.com

unread,
Aug 16, 2017, 12:44:46 PM8/16/17
to Cerner FHIR Developers
Hi Jenni,
Thanks for the reply.
I read your example url http://fhir.cerner.com/authorization/#examples carefully, but I am not sure what is my fault.
I am thinking my current scope is fault.
can you let me know how I have to modify the scopes in the current my app info of Cerner Sandbox?

eduardh...@gmail.com

unread,
Aug 16, 2017, 11:51:18 PM8/16/17
to Cerner FHIR Developers
http://fhir.cerner.com/authorization/#examples - patient/Observation.read patient/MedicationHistory.read launch
But there is no any "MedicationHistory" scope in https://code.cerner.com/developer/smart-on-fhir/edit?app=c27eb903-1a32-4588-a02b-2d71d04b23c6 (This is my app)
Also I am not sure how can get state in the below request example. I will wait for your reply here asap.

Jenni Syed (Cerner)

unread,
Aug 17, 2017, 10:29:15 AM8/17/17
to Cerner FHIR Developers
state is a parameter the application must generate and check (it's passed back to you when authorization is completed - validating this parameter helps to prevent some security attacks). 

The example above is just that, an example, though it would be nice if it used real scopes :) You need to replace the list of scopes with the list of scopes your application needs. However, to perform a SMART launch, the application MUST include the launch scope *and* the launch parameter in the request. I believe the example you provided of your request did not have a launch parameter included, only the launch scope. The launch parameter value must be equal to the launch parameter passed to the application when it is launched.

~ Jenni

eduardh...@gmail.com

unread,
Aug 17, 2017, 1:31:35 PM8/17/17
to Cerner FHIR Developers
Hi Jenni,
Thanks for the reply.

I included a launch parameter when I make an authentication url.
As you can see above screenshot, my SMART Launch URI is "http://localhost:8100/".

- programming code: 
  var scope = "patient/Patient.read,patient/Observation.read,launch";
  var redirectUri = "http://localhost:8100/";
  var launchUri = "http://localhost:8100/";
  var clientid_cerner_provider = "80c16a4d-10a3-47bd-9eba-07c3aebc25ae";
  ...
  var authenticate_url = authorization_url + "?" + "response_type=code&" + "client_id=" + encodeURIComponent(clientid_cerner_provider) + "&" +
              "scope=" + encodeURIComponent(scope) + "&" + "launch=" + encodeURIComponent(launchUri) + "&" + "aud=" + encodeURIComponent(serviceUri) + "&" +
              "redirect_uri=" + encodeURIComponent(redirectUri);

So I am getting following authentication url.
- authentication_url:
?response_type=code
&client_id=80c16a4d-10a3-47bd-9eba-07c3aebc25ae
&scope=patient%2FPatient.read%2Cpatient%2FObservation.read%2Claunch
&launch=http%3A%2F%2Flocalhost%3A8100%2F
&aud=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca%2F
&redirect_uri=http%3A%2F%2Flocalhost%3A8100%2F

But when I am gonna get authorization code in redirect url using above authentication url, it still give me error: "invalid_grant".

- redirect url:
?error=invalid_request
&error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Asmart-v1%253Agrant%253Alaunch%253Ainvalid-launch-code%2Finstances%2F8262af65-d3f5-424b-9570-c3d6aa8e2a77%3Fpersona%3Dprovider%26client%3D80c16a4d-10a3-47bd-9eba-07c3aebc25ae%26tenant%3D0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca


Please let me know what is my fault.
Thanks in advance for your any help.

Eduard.

Jenni Syed (Cerner)

unread,
Aug 18, 2017, 10:46:35 AM8/18/17
to Cerner FHIR Developers
Eduard,

The launch parameter is not the launch URL - it should be the value passed to your application, usually a string of letters and numbers, when your application is launched. It can be found in the launch query parameter in the apps launch URL when launched. For example, if your application launch URL is http://localhost:8100/

http://localhost:8100/?iss=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca%2F&launch=123xxxxxxyyyyzzz456

Is an example of what the URL might look like when your application is launched. The application then takes the iss (the FHIR server root URL it should be using), discovers the authorization endpoint from the conformance resource of that FHIR server, and uses the iss value as the aud value when calling the authorization endpoint. It also uses the value in the launch parameter and passes that into the launch parameter in that authorization request.

~ Jenni

eduardh...@gmail.com

unread,
Aug 18, 2017, 3:09:08 PM8/18/17
to Cerner FHIR Developers
Hi Jenni,
I changed the scope as following.
 
User Scopes:

user/Appointment.read

user/MedicationOrder.read

user/Observation.read

user/Patient.read 

so authentication url :
https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?response_type=code&client_id=80c16a4d-10a3-47bd-9eba-07c3aebc25ae&scope=launch%2Fpatient%2Copenid%2Cprofile%2Conline_access%2Cuser%2FMedicationOrder.read%2Cuser%2FAppointment.read%2Cuser%2FPatient.read%2Cuser%2FObservation.read&aud=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca%2F&redirect_uri=http%3A%2F%2Flocalhost%3A8100%2F

Now I am getting authorization code, access token, refresh token, id_token, token type, expires_in using above authentication url.

Next, I want to get the list of patients in secure sandbox using above the access token, ....

Can you please let me know the solution how can I get the list of patients?

Eduard.

Max Philips (Cerner)

unread,
Aug 18, 2017, 3:21:18 PM8/18/17
to Cerner FHIR Developers
Hi Eduard,

Cerner's sandbox doesn't support the workflow of retrieving all patients (there are quite a few patients in the sandbox!).

We support search and read by id for the Patient FHIR resource.  Here's our documentation:

A good starting point for you to dig in may be searching for all patients with a particular name, like this:
Per documentation on fhir.cerner.com, the 'name' parameter searches first and last names of patients, so you will get a result set consisting of all patients in the sandbox whose first or last name starts with 'Peters'.

You can try out other query parameters that we have documented as well.

Thanks,
Max (Cerner)

eduardh...@gmail.com

unread,
Aug 21, 2017, 3:34:32 AM8/21/17
to Cerner FHIR Developers
Hi Max,
Thanks very much for your help.
I got the patient FHIR resource in Cerner's Sandbox.

Thanks, :)
Eduard.
Reply all
Reply to author
Forward
0 new messages