Hi,
I am trying to get started with interacting with the Cerner FHIR API in the Secure Sandbox using a System Account.
Full curl command & output below (with Authorization header redacted):
$ curl -v -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \
-H 'Accept: application/json' \
-H "Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 159.140.206.14...
* TCP_NODELAY set
* Connected to authorization.cerner.com (159.140.206.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Missouri; L=Kansas City; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=Delaware; O=Cerner Corporation; businessCategory=Private Organization; serialNumber=2103665; CN=authorization.cerner.com
* start date: Mar 11 17:27:37 2020 GMT
* expire date: Mar 11 17:57:36 2022 GMT
* subjectAltName: host "authorization.cerner.com" matched cert's "authorization.cerner.com"
* issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M
* SSL certificate verify ok.
> POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
> Host: authorization.cerner.com
> User-Agent: curl/7.64.1
> Accept: application/json
> Authorization: Basic REDACTED
> Content-Type: application/x-www-form-urlencoded
> cache-control: no-cache
> Content-Length: 85
>
* upload completely sent off: 85 out of 85 bytes
< HTTP/1.1 400
< Expect-CT: enforce, max-age=30
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: OPTIONS, POST
< Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Cerner-Correlation-Id
< Cache-Control: no-store
< Pragma: no-cache
< Cerner-Correlation-ID: 8bfe85c9-3236-41f7-8582-e482265d78a1
< Content-Type: application/json;charset=UTF-8
< Content-Length: 296
< Date: Tue, 28 Sep 2021 08:31:01 GMT
< X-Cnection: close
< Server: cloud_authorization_server1
< Strict-Transport-Security: max-age=631138519; includeSubDomains
<
* Connection #0 to host authorization.cerner.com left intact
{"error":"invalid_client","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aterminated-client/instances/8bfe85c9-3236-41f7-8582-e482265d78a1?client=174ebcdf-3a37-4806-8697-9a5d2ff486e7&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}* Closing connection 0
I have also tried getting a bearer token from the
https://cernercentral.com/system-accounts/ web interface and using that directly but that didn't work either (BEARER_TOKEN env var is set to the bearer token copied from CernerCentral):
$ curl -i -H "Authorization: Bearer $BEARER_TOKEN" -H 'Accept: application/json' https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/Patient\?name\=John
HTTP/1.1 401 Unauthorized
Content-Type: application/fhir+json
Content-Length: 200
Connection: keep-alive
Date: Tue, 28 Sep 2021 08:41:54 GMT
X-Request-Id: b0a4786e-0215-445a-b397-3aa922f02809
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: WWW-Authenticate, X-Request-Id
WWW-Authenticate: Bearer realm="fhir-ehr-code.cerner.com", error="invalid_token"
X-Edge-Origin-Shield-Skipped: 0
X-Cache: Error from cloudfront
Via: 1.1 4bc362c59a07f21706e00e1fe67ba2ff.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR62-C1
X-Amz-Cf-Id: qTWnWe-oXR3ybcquuS-s2Vg8c-rFNlD4OWHyhMUjz3nz66-3E19t1A==
{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"login","diagnostics":"Bearer realm=\"fhir-ehr-code.cerner.com\", error=\"invalid_token\"","expression":["http.Authorization"]}]}%
Any pointers would be much appreciated.
Thanks,
Francis