sandbox system account authorization fails

[twoyt...@etiometry.com]

Hi,

I tried the 2 documented methods for trying to obtain an access token for a system account. Which mechanism should be used?:

1)

test button on system account admin page works. the same GET with updated params fails locally:

https://oauth-api.sandboxcerner.com/oauth/access?oauth_nonce=-5627865090307359813&oauth_signature=***********&oauth_consumer_key=cec61e43-ac92-47d8-89f4-1c46c799fe40&oauth_signature_method=PLAINTEXT&oauth_timestamp=1620315164366&oauth_version=1.0 GET

I tried via browser and land on: "The page you requested is invalid"

2)

http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

curl -X POST 'https://authorization.cerner.com/tenants/dab8e1e5-aa7b-0bdf-4191-a37fa5547529/protocols/oauth2/profiles/smart-v1/token' \

  -H 'Accept: application/json' \

  -H "Authorization: Basic $(echo -n dab8e1e5-aa7b-0bdf-4191-a37fa5547529:*********** | base64)" \

  -H 'Content-Type: application/x-www-form-urlencoded' \

  -H 'cache-control: no-cache' \

  -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

fails with TCP connection reset by peer

Thanks,

Tom

[Fenil Desani (Cerner)]

Hello,

Which domain are you trying to connect to?

I do not see any System Account with Id: dab8e1e5-aa7b-0bdf-4191-a37fa5547529. Can you confirm you system Account?

Thanks,

Fenil (Cerner)

[twoyt...@etiometry.com]

Hi Fenil,

It looks like two accounts got provisioned. I'm not sure which one to use. I expected the sandbox URL is the one to be using for sandbox testing. I assume consumerKey is the system account ID in the URLs below?

https://cernercentral.com/system-accounts/65e859a0-c371-42b8-b440-3ae8b91f1930?realmId=_3r2dahz1bpUCX4rkXjvhofi0l1zcbjS

https://sandboxcernercentral.com/system-accounts/cec61e43-ac92-47d8-89f4-1c46c799fe40?realmId=CSfH1J9DEBY_b2nmYDxjm-iWkUxMqsWE

I've tried both IDs, but I suspect I should be using the sandbox ID for sandbox testing.

Thanks,

Tom

[twoyt...@etiometry.com]

Hi Fenil,

A quick follow-up. I am tryng to use the sandbox system account, so I checked all the parameters/URLs:

Account URL: https://sandboxcernercentral.com/system-accounts/cec61e43-ac92-47d8-89f4-1c46c799fe40

Using the instructions and example from the doc at:

Doc URL: http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

I get "invalid_client". Am I using the correct authz URL?

curl -X POST 'https://authorization.sandboxcerner.com/tenants/cec61e43-ac92-47d8-89f4-1c46c799fe40/protocols/oauth2/profiles/smart-v1/token' \

>   -H 'Accept: application/json' \

>   -H "Authorization: Basic Y2VjNjFlNDMtYWM5Mi00N2Q4LTg5ZjQtMWM0NmM3OTlmZTQwOg==" \ # removed credential part for thos group post

>   -H 'Content-Type: application/x-www-form-urlencoded' \

>   -H 'cache-control: no-cache' \

>   -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

{"error":"invalid_client","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aterminated-client/instances/4bc13846-6e20-40b0-a289-6a2dc8b08b40?client=cec61e43-ac92-47d8-89f4-1c46c799fe40&tenant=cec61e43-ac92-47d8-89f4-1c46c799fe40"

Thanks,

Tom

[Dan Tripp]

I am also getting an "invalid_client" error.  I wonder if someone can suggest some things to try.

This is my first attempt at connecting to Cerner.   It's not that it was working then it broke.  It was never working.

My (cygwin) command line is:

SYSTEM_ACCOUNT_CLIENT_ID='5b989f54-c0f7-44d9-a0d4-6efead0b1542'

SYSTEM_ACCOUNT_CLIENT_SECRET='[I got this value from https://cernercentral.com/system-accounts/5b989f54-c0f7-44d9-a0d4-6efead0b1542 , under the "Secrets" section, I clicked "View", and copied the value "Secret".  It's a 32-character string.]'

curl -o out.txt -i -v -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token'   -H 'Accept: application/json'   -H "Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64 -w 0)"   -H 'Content-Type: application/x-www-form-urlencoded'   -H 'cache-control: no-cache'   -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

I received the response:

HTTP/1.1 401
Expect-CT: enforce, max-age=30
WWW-Authenticate: Basic realm="CernerCare"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, POST
Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Cerner-Correlation-Id
Cache-Control: no-store
Pragma: no-cache
Cerner-Correlation-ID: 44b855d1-9a21-4e64-9fa0-266cf67e65c0
Content-Type: application/json;charset=UTF-8
Content-Length: 276
Date: Fri, 07 May 2021 00:17:01 GMT
Server: cloud_authorization_server1
Strict-Transport-Security: max-age=631138519; includeSubDomains

{"error":"invalid_client","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-client-credentials/instances/44b855d1-9a21-4e64-9fa0-266cf67e65c0?client=unknown&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}

All suggestions welcome.

[Fenil Desani (Cerner)]

Hello Tom,

Looks like you got little confused on different identifiers we have. 

To connect with out public Sandbox, you need to use the following account: https://cernercentral.com/system-accounts/65e859a0-c371-42b8-b440-3ae8b91f1930

Your Auth URL is incorrect as well. You should discover the Auth URL calling the Conformance statement, using FHIR Base URL. http://fhir.cerner.com/authorization/#discovering-authorization-urls

FHIR Base URL for Cerner public Sandbox: https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d

Conformance Statement: https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/metadata

Token URL: https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token
ClientId: 65e859a0-c371-42b8-b440-3ae8b91f1930

So based on your curl above, its should look something like this

curl -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \

>   -H 'Accept: application/json' \

>   -H "Authorization: Basic ( base64 "SYSTEM_ACCOUNT_CLIENT_ID:SYSTEM_ACCOUNT_CLIENT_SECRET") \ 

>   -H 'Content-Type: application/x-www-form-urlencoded' \

>   -H 'cache-control: no-cache' \

>   -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

[Fenil Desani (Cerner)]

Hello Daniel, the error is complaining about invalid credentials.
Make sure the ClientID and client secret is correct and correctly encoded.

Also, please create a new thread to avoid confusions.

Thanks

Fenil (Cerner)

[twoyt...@etiometry.com]

Thank-you Fenil. 

Even with the changes you suggested above, I'm getting "curl: (56) OpenSSL SSL_read: Connection reset by peer, errno 104". 

I am using the ID under the "Manage Secrets" tab for SYSTEM_ACCOUNT_CLIENT_ID. I even tried the ClientId and get the same error. It looks like TLS1.2 is being used. Is there anything you can see on your end?

Request was sent: start date: Mar 11 17:27:37 2020 GMT

verbose curl snippet:

....handshake completes

> Content-Length: 85

> 

* upload completely sent off: 85 out of 85 bytes

* OpenSSL SSL_read: Connection reset by peer, errno 104

* Closing connection 0

curl: (56) OpenSSL SSL_read: Connection reset by peer, errno 104

-Tom

[Dan Tripp]

It's working for me now, but if I have more questions I'll create a new thread.  Thank you.