Fail Authorization on Behalf of a User: Processing the Authorization Grant Response

Zane Silver

unread,

Jan 7, 2023, 6:12:48 PM1/7/23

to Oracle Cerner FHIR Developers

The Authorization on Behalf of a User is failing for me at the Processing the authorization grant response step.

App

App Type: Patient

App ID: 113e918d-efd2-4c9f-bad8-8e8d4bfece19

Client ID: b7bc7cde-fe22-4e17-b805-3a90fb73c29b

Token Request (failing)

The following request fails when trying to exchange the code for an access token from the following request.

Request Headers
Method: POST

Content-Type: application/x-www-form-urlencoded

Request URL

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token?grant_type=authorization_code&client_id=b7bc7cde-fe22-4e17-b805-3a90fb73c29b&state=test&code=e46d387a-6234-4df4-b798-24f47460c5de

Response

{

"error": "invalid_client",

"error_uri": "https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-client-credentials/instances/911e7841-28d1-4fce-8c78-7f220688057e?client=unknown&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"

}

Authorization Request
The above Token Request flow was done in response to the code returned (successfully) from the patient authorization request:

Parameters

client_id: b7bc7cde-fe22-4e17-b805-3a90fb73c29b

state: test

aud: https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/

response_type: code

scope: launch/patient openid profile offline_access

URL

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/patient/authorize?client_id=b7bc7cde-fe22-4e17-b805-3a90fb73c29b&state=test&aud=https%3A%2F%2Ffhir-ehr-code.cerner.com%2Fr4%2Fec2458f2-1e24-41c8-b71b-0e701af7583d&response_type=code&scope=launch%2Fpatient%20openid%20profile%20offline_access

I would expect for this flow to work, but for some reason we always receive the client credentials error. Additionally, our App Name is "Unknown App" even though it's configured and it properly links to our ToS & Privacy Policies.

Zane Silver

unread,

Jan 7, 2023, 6:21:37 PM1/7/23

to Oracle Cerner FHIR Developers

I should also mention that the Application Privacy is Confidential:

App

App Type: Patient

App ID: 113e918d-efd2-4c9f-bad8-8e8d4bfece19

Client ID: b7bc7cde-fe22-4e17-b805-3a90fb73c29b

Application Privacy: Confidential

Thanks for the help!

Aaron McGinn (Oracle Cerner)

unread,

Jan 11, 2023, 8:06:07 PM1/11/23

to Oracle Cerner FHIR Developers

As a confidential application, the authorization will be done using the system account you created as well as the secret obtained from that account. This process will then follow the auth workflow using a system account.

This process follows RFC6749 [1] for the OAuth 2.0 framework.

[1] https://www.rfc-editor.org/rfc/rfc6749#section-2.1

-Aaron (Oracle Cerner)

Zane Silver

unread,

Jan 11, 2023, 8:08:02 PM1/11/23

to cerner-fhir...@googlegroups.com

Got it. Works, thank you!

--
You received this message because you are subscribed to a topic in the Google Groups "Oracle Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/Sm2AxMLoyS4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/7bc78f1d-e67f-4bbe-814b-90058065ca05n%40googlegroups.com.

Reply all

Reply to author

Forward