OAuth authorisation in sandbox using system account
238 views
Skip to first unread message
Assigned to Fenil....@cerner.com by me
Francis Devereux
Sep 28, 2021, 4:43:26 AM9/28/21
to Cerner FHIR Developers
Hi,
I am trying to get started with interacting with the Cerner FHIR API in the Secure Sandbox using a System Account.
I have registered a system account in https://cernercentral.com/system-accounts/ and set the env variable SYSTEM_ACCOUNT_CLIENT_ID to its Account ID and SYSTEM_ACCOUNT_CLIENT_SECRET to its Secret (values for ID and secret obtained from
https://cernercentral.com/system-accounts/).
https://cernercentral.com/system-accounts/).
When I try the curl command from https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system (with -v added) then I get a "invalid_client" error.
Full curl command & output below (with Authorization header redacted):
$ curl -v -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \
-H 'Accept: application/json' \
-H "Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 159.140.206.14...
* TCP_NODELAY set
* Connected to authorization.cerner.com (159.140.206.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Missouri; L=Kansas City; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=Delaware; O=Cerner Corporation; businessCategory=Private Organization; serialNumber=2103665; CN=authorization.cerner.com
* start date: Mar 11 17:27:37 2020 GMT
* expire date: Mar 11 17:57:36 2022 GMT
* subjectAltName: host "authorization.cerner.com" matched cert's "authorization.cerner.com"
* issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M
* SSL certificate verify ok.
> POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
> Host: authorization.cerner.com
> User-Agent: curl/7.64.1
> Accept: application/json
> Authorization: Basic REDACTED
> Content-Type: application/x-www-form-urlencoded
> cache-control: no-cache
> Content-Length: 85
>
* upload completely sent off: 85 out of 85 bytes
< HTTP/1.1 400
< Expect-CT: enforce, max-age=30
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: OPTIONS, POST
< Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Cerner-Correlation-Id
< Cache-Control: no-store
< Pragma: no-cache
< Cerner-Correlation-ID: 8bfe85c9-3236-41f7-8582-e482265d78a1
< Content-Type: application/json;charset=UTF-8
< Content-Length: 296
< Date: Tue, 28 Sep 2021 08:31:01 GMT
< X-Cnection: close
< Server: cloud_authorization_server1
< Strict-Transport-Security: max-age=631138519; includeSubDomains
<
* Connection #0 to host authorization.cerner.com left intact
{"error":"invalid_client","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aterminated-client/instances/8bfe85c9-3236-41f7-8582-e482265d78a1?client=174ebcdf-3a37-4806-8697-9a5d2ff486e7&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}* Closing connection 0
-H 'Accept: application/json' \
-H "Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 159.140.206.14...
* TCP_NODELAY set
* Connected to authorization.cerner.com (159.140.206.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Missouri; L=Kansas City; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=Delaware; O=Cerner Corporation; businessCategory=Private Organization; serialNumber=2103665; CN=authorization.cerner.com
* start date: Mar 11 17:27:37 2020 GMT
* expire date: Mar 11 17:57:36 2022 GMT
* subjectAltName: host "authorization.cerner.com" matched cert's "authorization.cerner.com"
* issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M
* SSL certificate verify ok.
> POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
> Host: authorization.cerner.com
> User-Agent: curl/7.64.1
> Accept: application/json
> Authorization: Basic REDACTED
> Content-Type: application/x-www-form-urlencoded
> cache-control: no-cache
> Content-Length: 85
>
* upload completely sent off: 85 out of 85 bytes
< HTTP/1.1 400
< Expect-CT: enforce, max-age=30
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: OPTIONS, POST
< Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Cerner-Correlation-Id
< Cache-Control: no-store
< Pragma: no-cache
< Cerner-Correlation-ID: 8bfe85c9-3236-41f7-8582-e482265d78a1
< Content-Type: application/json;charset=UTF-8
< Content-Length: 296
< Date: Tue, 28 Sep 2021 08:31:01 GMT
< X-Cnection: close
< Server: cloud_authorization_server1
< Strict-Transport-Security: max-age=631138519; includeSubDomains
<
* Connection #0 to host authorization.cerner.com left intact
{"error":"invalid_client","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aterminated-client/instances/8bfe85c9-3236-41f7-8582-e482265d78a1?client=174ebcdf-3a37-4806-8697-9a5d2ff486e7&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}* Closing connection 0
I have also tried getting a bearer token from the https://cernercentral.com/system-accounts/ web interface and using that directly but that didn't work either (BEARER_TOKEN env var is set to the bearer token copied from CernerCentral):
$ curl -i -H "Authorization: Bearer $BEARER_TOKEN" -H 'Accept: application/json' https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/Patient\?name\=John
HTTP/1.1 401 Unauthorized
Content-Type: application/fhir+json
Content-Length: 200
Connection: keep-alive
Date: Tue, 28 Sep 2021 08:41:54 GMT
X-Request-Id: b0a4786e-0215-445a-b397-3aa922f02809
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: WWW-Authenticate, X-Request-Id
WWW-Authenticate: Bearer realm="fhir-ehr-code.cerner.com", error="invalid_token"
X-Edge-Origin-Shield-Skipped: 0
X-Cache: Error from cloudfront
Via: 1.1 4bc362c59a07f21706e00e1fe67ba2ff.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR62-C1
X-Amz-Cf-Id: qTWnWe-oXR3ybcquuS-s2Vg8c-rFNlD4OWHyhMUjz3nz66-3E19t1A==
{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"login","diagnostics":"Bearer realm=\"fhir-ehr-code.cerner.com\", error=\"invalid_token\"","expression":["http.Authorization"]}]}%
HTTP/1.1 401 Unauthorized
Content-Type: application/fhir+json
Content-Length: 200
Connection: keep-alive
Date: Tue, 28 Sep 2021 08:41:54 GMT
X-Request-Id: b0a4786e-0215-445a-b397-3aa922f02809
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: WWW-Authenticate, X-Request-Id
WWW-Authenticate: Bearer realm="fhir-ehr-code.cerner.com", error="invalid_token"
X-Edge-Origin-Shield-Skipped: 0
X-Cache: Error from cloudfront
Via: 1.1 4bc362c59a07f21706e00e1fe67ba2ff.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR62-C1
X-Amz-Cf-Id: qTWnWe-oXR3ybcquuS-s2Vg8c-rFNlD4OWHyhMUjz3nz66-3E19t1A==
{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"login","diagnostics":"Bearer realm=\"fhir-ehr-code.cerner.com\", error=\"invalid_token\"","expression":["http.Authorization"]}]}%
Any pointers would be much appreciated.
Thanks,
Francis
Fenil Desani (Cerner)
Sep 28, 2021, 9:41:28 AM9/28/21
to Cerner FHIR Developers
Hello.
Your former approach is correct! To confirm, did you register the System App in Code Console after getting the System Account?
I'm unable to find your App with AccountID: 174ebcdf-3a37-4806-8697-9a5d2ff486e7
Thanks,
Fenil
Fenil
Francis Devereux
Oct 5, 2021, 5:17:17 AM10/5/21
to Cerner FHIR Developers
Hi Fenil,
Thanks, yes that was it, after creating an app I now have access.
Thanks,
Francis
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages