Cerner 'System' App authentication and Token retrieval

[Alam Sher]

• Issue Summary: (I have completed the registration of a System App on Cerner sandbox. While trying to retrieve the token using 'client_credential' oAuth 2.0 workflow, I am getting an error: 
• "Unknown Application" is no longer a registered application.

• Error Code

  urn:cerner:error:authorization-server:oauth2:token:terminated-client

  )
• X-Request-Id or CorrelationId: (4e158aaf-d7bd-48bc-a8c4-b759106141d9)

When I browse my system account (non-production) details on Cerner central portal, my account status seems 'Active'. . 

Testing the secret on Cerner Central appears to be working fine, but real-time token retrieval (POST request) fails with above error. 

Any clue/guidance in the right direction would be highly appreciated. 

Thanks

[Zafar Ullah]

Instead of 'client_credential', use 'Authorizatuon' and pass Base 64 encoded client and secret key with a prefix of Bearer.

e.g. Authorization : Bearer base64(client Id:secretkey)

Regards

Zafar ullah

On Mon, Feb 18, 2019, 2:41 AM Alam Sher <alams...@gmail.com> wrote:

If this is a question about an error or issue you are seeing, please fill out the following fields:

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/17251ca4-2e20-49b7-b19f-9a0eb26f1926%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alam Sher]

Zafar:

I've tried this already with similar outcome. 

Note: I'm using postman to fire the request where I'm providing my system account's Consumer Key and Consumer Secret as username/password combination for Basic Authentication. 

Also as a test I played with it a bit by providing wrong credentials: the error message changes to 'invalid_client_credentials', so I can safely assume the credentials I am passing are correct and it's the server that is rejecting the token request due to some other issues with this system account at the back-end. 

Please suggest any other workaround that's applicable. 

Thanks, 

Alam Sher

On Monday, 18 February 2019 05:18:51 UTC+5, Zafar Ullah wrote:

Instead of 'client_credential', use 'Authorizatuon' and pass Base 64 encoded client and secret key with a prefix of Bearer.

e.g. Authorization : Bearer base64(client Id:secretkey)

Regards

Zafar ullah

On Mon, Feb 18, 2019, 2:41 AM Alam Sher <alams...@gmail.com> wrote:

If this is a question about an error or issue you are seeing, please fill out the following fields:

• Issue Summary: (I have completed the registration of a System App on Cerner sandbox. While trying to retrieve the token using 'client_credential' oAuth 2.0 workflow, I am getting an error: 
• "Unknown Application" is no longer a registered application.

• Error Code

  urn:cerner:error:authorization-server:oauth2:token:terminated-client

  )
• X-Request-Id or CorrelationId: (4e158aaf-d7bd-48bc-a8c4-b759106141d9)

When I browse my system account (non-production) details on Cerner central portal, my account status seems 'Active'. . 

Testing the secret on Cerner Central appears to be working fine, but real-time token retrieval (POST request) fails with above error. 

Any clue/guidance in the right direction would be highly appreciated. 

Thanks

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-developers+unsub...@googlegroups.com.

[Zafar Ullah]

Please make sure the contentType is application/x-www-form-urlencoded

Zafar ullah

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.

To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/17251ca4-2e20-49b7-b19f-9a0eb26f1926%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.

To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/e7c207e3-b55b-4cfb-b0d9-16987cd8c5c7%40googlegroups.com.

[Zafar Ullah]

also below given image might help you

--

Regard's

Zafar Ullah

zafa...@gmail.com
zafar...@hotmail.com
+92-0333-5206863
http://barchitect.blogspot.com

[Alam Sher]

Zafar:

Here're my request details using POSTMAN:

URL (POST): 

https://authorization.sandboxcerner.com/tenants/{MY_TENANT_ID}/protocols/oauth2/profiles/smart-v1/token?aud=https://fhir-ehr.sandboxcerner.com/dstu2/{MY_TENANT_ID} 

Headers:

Accept: application/json

Content-Type: application/x-www-form-urlencoded

cache-control: no-cache

Postman-Token: bb1383a5-c1a2-4368-8733-e2eb2f02de28

Authorization: Basic OllqN3k1bTNiV0dhX05VVF9qcGdaVVJ4M3JJTnQzN3BL

User-Agent: PostmanRuntime/7.6.0

Host: authorization.sandboxcerner.com

cookie: cloud-session=https://authorization.sandboxcerner.com/session-api/session/003bc95c-3132-4db1-9574-2da5bb157a66; _ga=GA1.2.760395515.1550237287; _gid=GA1.2.843576147.1550351275

accept-encoding: gzip, deflate

content-length: 63

Request Body:

grant_type=client_credentials

scope=system/Patient.read

I am getting the error:

"Unknown Application" is no longer a registered application.

Error Code

urn:cerner:error:authorization-server:oauth2:token:terminated-client

Zafar ullah

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-developers+unsub...@googlegroups.com.

To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/17251ca4-2e20-49b7-b19f-9a0eb26f1926%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-developers+unsub...@googlegroups.com.

[Zafar Ullah]

Request body should contain the values i shared in the image. i.e.

grant_type : authorization_code

code : the authorizationcode you received against authorization request

redirecturl: an https based url (even if its local)

client_id : your clientId

As you are not passing these values so server is unable to recognize you because of missing client_id 

Zafar ullah

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.

To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/17251ca4-2e20-49b7-b19f-9a0eb26f1926%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.

To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/e7c207e3-b55b-4cfb-b0d9-16987cd8c5c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.

To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/9963d15b-0f38-4f7d-89a6-30033f26d7c9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

[Jenni Syed (Cerner)]

First: A reminder to *never* post actual credentials to this public site. If you included actual request details above, please rotate your secrets in the system account admin tool.

Second: Have you registered your account (using the id from system accounts as the GUID) in the code console? Registration is described here (it's 2 steps, the system account is only the first part of the request): https://fhir.cerner.com/authorization/#registration

Example of the token request is here (including where to find the token URL): https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

Regards,

Jenni

[Alam Sher]

Jeni:

Thanks for the response, I'll be careful about sharing the non-public information on forum in future. 

Yes, I understand the registration flow and I did connect my system account to my Sandbox app using GUID. 

I believe I retrieved the correct URL to request token and my token request data/format is correct as well. 

Kindly suggest the way forward.

Here I am sharing the error details again including the correlation id:  

Information to provide to Technical Support

Correlation ID: 

4fb7c8af-3e28-4b96-86ad-bb325a884cac

Information to provide to Unknown Application

"Unknown Application" is no longer a registered application.

Error Code

urn:cerner:error:authorization-server:oauth2:token:terminated-client

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/f833355c-ef52-41c0-a54f-3d4fe3354253%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alam Sher
+92 321 512 6543

[Alam Sher]

Jenni:

I got this working. It was an issue with my app registration. 

Another question: 

Can we request a Refresh Token as a System App? 

Currently even if I provide 'offline_access' in scope I don't get a refresh_token.

Alam Sher

[Jenni Syed (Cerner)]

Hi Alam,

No, system accounts don't use the refresh path. The primary reason for this is because the refresh token is intended to let workflows not require the user to sign in and get re-prompted for authorization. System accounts don't prompt anyone, so just asking for a new token is essentially the same thing.

~ Jenni

[Alam Sher]

Got it, thanks.