need to know error from system app from system account

126 views
Skip to first unread message

Salik Ahmed

unread,
Mar 24, 2020, 12:27:16 PM3/24/20
to Cerner FHIR Developers
Dear,
I am getting error on my redirected url "/app?state=5NQJxZmqeykI88Ov&error=access_denied&error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Adenied-by-server%2Finstances%2Fa6e69510-9fea-4700-9678-7c0104a771c5%3Fpersona%3Dprovider%26client%3D689d50d7-2e7c-42cb-b557-46e1bcec1c36%26tenant%3D0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca". Even i provided the client id, scope and iss of my system app which I have created from cerner development portal. Kindly help me with this.

Thanks,
Salik Ahmed Khan

Salik Ahmed

unread,
Mar 24, 2020, 12:52:39 PM3/24/20
to Cerner FHIR Developers
Dear,
Another question that 
POST /tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
Host: authorization.sandboxcerner.com
Authorization: Basic YmIzMThhNjItZmE2MS00OWFlLWI2OTItN2Q5OTIxNGYwZWM3OnNlY3JldA==
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Connection: close
grant_type=client_credentials&scope=system%2FObservation.read
where can I get basic token? 

Max Philips (Cerner)

unread,
Mar 24, 2020, 3:22:30 PM3/24/20
to Cerner FHIR Developers
Hello Salik Ahmed Khan,

Even i provided the client id, scope and iss of my system app which I have created from cerner development portal. Kindly help me with this.

Per group guidelines, please provide an X-Request-Id response header value for the error you received.

where can I get basic token?

As linked on fhir.cerner.com Authorization documentation: https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system, you should perform a client credentials OAuth2 workflow using the "Basic authentication scheme" outlined in RFC 2617: https://tools.ietf.org/html/rfc2617

The client credentials you should use are user=client id of your system account / pass=secret of your system account.

Thanks,
Max (Cerner)

Salik Ahmed

unread,
Mar 25, 2020, 9:22:50 AM3/25/20
to Cerner FHIR Developers
Hi Max,
There is no X-Request-Id in my response header.

Thanks,
Salik Ahmed Khan

Max Philips (Cerner)

unread,
Mar 25, 2020, 9:27:15 AM3/25/20
to Cerner FHIR Developers
Is there a Cerner-Correlation-Id?

Salik Ahmed

unread,
Mar 25, 2020, 9:30:54 AM3/25/20
to Cerner FHIR Developers
this is "4dbd26eb-af52-4c77-bd6f-a7ef7e1801e3" what i am getting in authorization call.

On Wednesday, 25 March 2020 18:27:15 UTC+5, Max Philips (Cerner) wrote:
Is there a Cerner-Correlation-Id?

Salik Ahmed

unread,
Mar 25, 2020, 9:32:36 AM3/25/20
to Cerner FHIR Developers
Annotation 2020-03-25 183218.png

Salik Ahmed

unread,
Mar 25, 2020, 10:04:16 AM3/25/20
to cerner-fhir...@googlegroups.com
Hi Max, 
When I work with the token call with basic authentication. I am getting this :
"{
}" with error code 400 Bad Request and Cerner-Correlation-ID : 5c112509-35f4-4b87-9f7f-fe94b281cbcb, I also attached a screenshot of a post man. Kindly help me with this.

Thanks,
Salik
Annotation 2020-03-25 183218.png

Max Philips (Cerner)

unread,
Mar 25, 2020, 10:46:42 AM3/25/20
to Cerner FHIR Developers
In addition to setting the request body you are using, you need to pass in a Basic authorization header. Are you doing that?

It should be set according to documentation provided earlier in this thread:

As linked on fhir.cerner.com Authorization documentation: https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system, you should perform a client credentials OAuth2 workflow using the "Basic authentication scheme" outlined in RFC 2617: https://tools.ietf.org/html/rfc2617 

The client credentials you should use are user=client id of your system account / pass=secret of your system account.

You can see what such an authorization header should look like on the fhir.cerner.com link (and even base64-decode it to view it in plaintext).

Thanks,
Max (Cerner)

Salik Ahmed

unread,
Mar 25, 2020, 11:04:11 AM3/25/20
to Cerner FHIR Developers
Yes. I was sending basic token in authorization header and (grant_type and scope ) in request body as x-www-form-urlencoded. but still getting unauthorized client in the response.

Thanks,
Salik Ahmed Khan 

Max Philips (Cerner)

unread,
Mar 25, 2020, 11:20:37 AM3/25/20
to Cerner FHIR Developers
Alright that's good. Let's take a look at the error response: you can open the error_uri in a browser to view more information.

In this case, you ran into the following: "The resulting token contains no scopes, either due to unsatisfied constraints specified in the token request, or because the client is no longer authorized for the scopes associated with the refresh token."

This means that your client id (your system account) is not authorized for access to the scopes you requested - system/Observation.read, system/Patient.read, and offline_access.

In the code Console https://code.cerner.com/developer/smart-on-fhir/ did you register an application with the same client id your system account has? Does that application have access to the scopes you are requesting? Documentation in the last bullet of this list: https://fhir.cerner.com/authorization/#registering-a-system-account

Thanks,
Max (Cerner)

Salik Ahmed

unread,
Mar 25, 2020, 12:11:45 PM3/25/20
to Cerner FHIR Developers
This is my smart app which i made from developer portal with same client id, I was requesting. and yes i put offline_access to a scope but without offline_access scope , it still getting a response of unauthorized client.

Thanks,
Salik Ahmed Khan
Annotation 2020-03-25 183218.png

Max Philips (Cerner)

unread,
Mar 25, 2020, 4:37:57 PM3/25/20
to Cerner FHIR Developers
It looks like your app in the code Console is set up correctly, thanks for sharing that.

Another engineer on the team noticed that in your Postman request, you are using escaped scopes, i.e. "scope=system%2FObservation.read%20system%2FPatient.read".

What appears to be happening, which I cannot confirm 100%, is that Postman is applying a second layer of HTML escaping on your already escaped values, thereby mutating them to be unrecognizable by the authorization server. I attempted to replay this behavior locally with Postman and got the same error you did, so I'm fairly confident this is the issue, but it does involve some assumptions about what Postman is actually doing behind the scenes.

A solution appears to be not URL-escaping the value you pass in for scopes: "scope=system/Observation.read system/Patient.read". You could also try issuing the authorization request in a different HTTP client if you prefer to pre-escape the value.

Another note: requesting a scope of "offline_access" doesn't make sense for a system access workflow, since there's no user in context to grant offline access to. You may want to omit this scope from your token request (but if you leave it in, it will be ignored by the auth server without manifesting failures).

Thanks,
Max (Cerner)

Salik Ahmed

unread,
Mar 26, 2020, 2:59:03 AM3/26/20
to Cerner FHIR Developers
Hi Max,
Thanks to recognizing the problem. Kindly provide me a better solution.

Regards,
Salik Ahmed Khan

Salik Ahmed

unread,
Mar 26, 2020, 6:45:56 AM3/26/20
to Cerner FHIR Developers
Hi Max,
The issue is resolved , earlier i was trying to send the scope's value like this "system%2FObservation.read%20system%2FPatient.read" and now I am sending the value for the key scope, like this "system/Observation.read system/Patient.read".


Thanks,
Salik Ahmed Khan

Reply all
Reply to author
Forward
0 new messages