Get problems or diagnoses by smart.patient.api.fetchAll returns 401

400 views
Skip to first unread message

Kevin Maloy

unread,
Feb 23, 2017, 8:01:01 AM2/23/17
to Cerner FHIR Developers
Hi --

I am trying to use the smart.patient.api.fetchAll for SMART, Timmy (4342012) with the following

smart.patient.api.fetchAll({
  type: 'Condition',
  category: 'problem',
  clinicalstatus: 'active'
});

I get 401 Unauthorized

I get 200 and data when fetching Observations like

smart.patient.api.fetchAll({
                        type: 'Observation',
                        query: {
                          code: {
                            $or: ['http://loinc.org|8302-2', 'http://loinc.org|8462-4',
                                  'http://loinc.org|8480-6', 'http://loinc.org|2085-9',
                                  'http://loinc.org|2089-1', 'http://loinc.org|55284-4',
                                  'http://loinc.org|9279-1', 'http://loinc.org|8867-4',
                                  'http://loinc.org|8310-5', 'http://loinc.org|59408-5']
                          }
                        }
                      });

Am I doing something wrong with fetchAll for Condition?  Are there other required fields?

Thanks,
kevin.

Dennis Patterson (Cerner)

unread,
Feb 23, 2017, 9:30:08 AM2/23/17
to Cerner FHIR Developers
What does the 'WWW-Authenticate' header say in the response?

Without the 'x-request-id' header from the response, I can't be sure of the specific transaction you're referencing.  For the 401s I see on Conditions from one of your client ids, the token signature has expired, so you'd need a new token.

Kevin Maloy

unread,
Feb 24, 2017, 12:32:56 PM2/24/17
to Cerner FHIR Developers
Hi --

See below.

This is for MedicationOrder, for some reason though Observation works (200)

I am using the fhir-client.js from the tutorial
 
    1. Request URL:
    2. Request Method:
      GET
    3. Status Code:
      403 Forbidden
    4. Remote Address:
    5. Referrer Policy:
      no-referrer-when-downgrade
  1. Response Headersview source
    1. Access-Control-Allow-Methods:
      DELETE, GET, POST, PUT, OPTIONS, HEAD
    2. Access-Control-Allow-Origin:
      *
    3. Access-Control-Expose-Headers:
      ETag, Content-Location, Location, X-Request-Id, WWW-Authenticate, Date
    4. Access-Control-Max-Age:
      0
    5. Cache-Control:
      no-cache
    6. Connection:
      Keep-Alive
    7. Content-Length:
      0
    8. Content-Type:
      text/html; charset=UTF-8
    9. Date:
      Fri, 24 Feb 2017 17:28:00 GMT
    10. Expires:
      Mon, 01 Jan 1990 00:00:00 GMT
    11. Keep-Alive:
      timeout=15, max=99
    12. Pragma:
      no-cache
    13. Server:
      Apache
    14. Server-Response-Time:
      6.1764660000000005
    15. Status:
      403 Forbidden
    16. Strict-Transport-Security:
      max-age=631152000
    17. Vary:
      Origin,User-Agent,Accept-Encoding
    18. WWW-Authenticate:
      Bearer realm="fhir-ehr.sandboxcerner.com", error="insufficient_scope"
    19. X-Content-Type-Options:
      nosniff
    20. X-Frame-Options:
      SAMEORIGIN
    21. X-Request-Id:
      1bbab60e14a809fafc8d61b7ca15a6e3
    22. X-Runtime:
      0.006155
    23. X-XSS-Protection:
      1; mode=block
  2. Request Headersview source
    1. Accept:
      application/json
    2. Accept-Encoding:
      gzip, deflate, sdch, br
    3. Accept-Language:
      en-US,en;q=0.8
    4. Authorization:
      Bearer eyJraWQiOiIyMDE3LTAyLTIzVDE5OjI4OjA4LjU0Ny5lYyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJwb3J0YWwiLCJ1cm46Y29tOmNlcm5lcjphdXRob3JpemF0aW9uOmNsYWltcyI6eyJ2ZXIiOiIxLjAiLCJlbmNvdW50ZXIiOiI0MDI3OTA2IiwidG50IjoiMGI4YTAxMTEtZThlNi00YzI2LWE5MWMtNTA2OWNiYzZiMWNhIiwiYXpzIjoidXNlclwvUGF0aWVudC5yZWFkIHVzZXJcL09ic2VydmF0aW9uLnJlYWQgbGF1bmNoIG9ubGluZV9hY2Nlc3Mgb3BlbmlkIHByb2ZpbGUiLCJ1c2VyIjoiNDQ2NDAwNyIsInBhdGllbnQiOiI0MzQyMDA4In0sImF6cCI6ImNlNTlkMmIzLTdjZjEtNGJkNy1hNTk2LTI4OGZlN2ViNTcxMyIsImlzcyI6Imh0dHBzOlwvXC9hdXRob3JpemF0aW9uLnNhbmRib3hjZXJuZXIuY29tXC8iLCJleHAiOjE0ODc5NTc3ODUsImlhdCI6MTQ4Nzk1NzE4NSwianRpIjoiOWZkNjFhYTEtN2VlNC00MGVmLWIzZmQtYTQwZDNlMmY1YzZkIiwidXJuOmNlcm5lcjphdXRob3JpemF0aW9uOmNsYWltczp2ZXJzaW9uOjEiOnsidmVyIjoiMS4wIiwicHJvZmlsZXMiOnsibWlsbGVubml1bS12MSI6eyJwZXJzb25uZWwiOiI0NDY0MDA3IiwiZW5jb3VudGVyIjoiNDAyNzkwNiJ9LCJzbWFydC12MSI6eyJwYXRpZW50cyI6WyI0MzQyMDA4Il0sImF6cyI6InVzZXJcL1BhdGllbnQucmVhZCB1c2VyXC9PYnNlcnZhdGlvbi5yZWFkIGxhdW5jaCBvbmxpbmVfYWNjZXNzIG9wZW5pZCBwcm9maWxlIn19LCJjbGllbnQiOnsibmFtZSI6IkFXUyBQRVJDIHYzIHdpdGggUGF0aWVudCBzY29yZSIsImlkIjoiY2U1OWQyYjMtN2NmMS00YmQ3LWE1OTYtMjg4ZmU3ZWI1NzEzIn0sInVzZXIiOnsicHJpbmNpcGFsIjoicG9ydGFsIiwicGVyc29uYSI6InByb3ZpZGVyIiwiaWRzcCI6IjBiOGEwMTExLWU4ZTYtNGMyNi1hOTFjLTUwNjljYmM2YjFjYSIsInByaW5jaXBhbFVyaSI6Imh0dHBzOlwvXC9taWxsZW5uaWEuc2FuZGJveGNlcm5lci5jb21cL2luc3RhbmNlXC8wYjhhMDExMS1lOGU2LTRjMjYtYTkxYy01MDY5Y2JjNmIxY2FcL3ByaW5jaXBhbFwvMDAwMC4wMDAwLjAwNDQuMUQ4NyIsImlkc3BVcmkiOiJodHRwczpcL1wvbWlsbGVubmlhLnNhbmRib3hjZXJuZXIuY29tXC9hY2NvdW50c1wvZmhpcnBsYXkudGVtcF9yaG8uY2VybmVyYXNwLmNvbVwvMGI4YTAxMTEtZThlNi00YzI2LWE5MWMtNTA2OWNiYzZiMWNhXC9sb2dpbiJ9LCJ0ZW5hbnQiOiIwYjhhMDExMS1lOGU2LTRjMjYtYTkxYy01MDY5Y2JjNmIxY2EifX0.jMlQ0rGZnWxkuQxE--z_IP8SlGfcZYrChASNxClZ1IEMGcp2v8kne2ONotwhsMV6hPozYXjf7QmpOa8yGnhD0g
    5. Cache-Control:
      no-cache
    6. Connection:
      keep-alive
    7. Content-Type:
      application/json
    8. Host:
    9. Origin:
    10. Pragma:
      no-cache
    11. Referer:
    12. User-Agent:
      Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.37 Safari/537.36
  3. Query String Parametersview sourceview URL encoded
    1. patient:
      4342008

Kevin Maloy

unread,
Feb 24, 2017, 12:34:16 PM2/24/17
to Cerner FHIR Developers
I have tried to check everything possible for scope in the app, see below

 

App Type: provider

FHIR Spec: dstu2 - "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"

Authorized: true


Standard Scopes:

online_access

launch

profile

openid


Patient Scopes:

patient/AllergyIntolerance.read

patient/Appointment.read

patient/Binary.read

patient/CarePlan.read

patient/Condition.read

patient/Contract.read

patient/Device.read

patient/DiagnosticReport.read

patient/Encounter.read

patient/Goal.read

patient/Immunization.read

patient/MedicationOrder.read

patient/MedicationStatement.read

patient/Observation.read

patient/OperationDefinition.read

patient/Patient.read

patient/Person.read

patient/Procedure.read

patient/RelatedPerson.read

patient/StructureDefinition.read

patient/AllergyIntolerance.write

patient/Condition.write

patient/DocumentReference.write

patient/MedicationStatement.write


User Scopes:

user/AllergyIntolerance.read

user/Appointment.read

user/Binary.read

user/CarePlan.read

user/Condition.read

user/Contract.read

user/Device.read

user/DiagnosticReport.read

user/Encounter.read

user/Goal.read

user/Immunization.read

user/MedicationOrder.read

user/MedicationStatement.read

user/Observation.read

user/OperationDefinition.read

user/Patient.read

user/Person.read

user/Procedure.read

user/RelatedPerson.read

user/StructureDefinition.read

user/AllergyIntolerance.write

user/Condition.write

user/DocumentReference.write

user/MedicationStatement.write 

Dennis Patterson (Cerner)

unread,
Feb 24, 2017, 12:57:46 PM2/24/17
to Cerner FHIR Developers
The Bearer token you included above does not grant access to MedicationOrder.read, though your client id does indeed have access.  Can you confirm that you're requesting the user/MedicationOrder.read or patient/MedicationOrder.read scope when calling the authorize endpoint? 

Kevin Maloy

unread,
Feb 24, 2017, 7:51:01 PM2/24/17
to Cerner FHIR Developers

Hi --

I figured it out.

In the tutorial (https://github.com/cerner/smart-on-fhir-tutorial) you set up a launch.html ... I thought the setup initialized all permission available ... in fact, I had to edit launch.html to include user/MedicationOrder.read and then fetchAll worked.

Partly what you said and then I noticed at https://healthservices.atlassian.net/wiki/display/HSPC/JavaScript+Tutorial%3A+Simple+Application they mention using the launch.html and adding permissions (although for some reason * did not work for me).

Thanks for the help in pointing me in the right direction, I was in fact not authorizing myself to get the data.
kevin.

Nathan Hulse

unread,
Oct 31, 2018, 4:03:13 AM10/31/18
to Cerner FHIR Developers
I'm running into the same issue and wanted to clarify:

Did you edit this in launch.html:

'scope': 'patient/Patient.read patient/Observation.read launch online_access openid profile'

to read more like this:

'scope': 'patient/Patient.read patient/Observation.read user/MedicationOrder.read launch online_access openid profile'

?

I'm trying to add the user/MedicationOrder.read scope and I'm pretty sure I'm still running into the 403 issue that you describe above.

Max Philips (Cerner)

unread,
Oct 31, 2018, 10:10:21 AM10/31/18
to Cerner FHIR Developers
Yep, that should do it. You will also need to make sure that you have updated your app registration to allow your app to request the user/MedicationOrder.read scope - if this is not completed you can ask for the scope via launch.html but will not be granted access by our authorization server.

Thanks,
Max (Cerner)

Nathan Hulse

unread,
Oct 31, 2018, 10:15:04 AM10/31/18
to Cerner FHIR Developers
Thanks Max.  Does it take a while for the authorization server to update?  I updated the app registration last night (it currently has Observation and Patient read under Patient scopes, and MedicationOrder.read under User scopes, but I'm still getting the 403 error.  Are there other things I should be checking?

Failed to load resource: the server responded with a status of 403 (Forbidden)  https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Condition?patient=4342012

Max Philips (Cerner)

unread,
Oct 31, 2018, 10:49:36 AM10/31/18
to Cerner FHIR Developers
Overnight should be plenty of time. Do you have an X-Request-Id response header value I can use to check our logs?

Thanks,
Max (Cerner)

Nathan Hulse

unread,
Oct 31, 2018, 11:13:15 AM10/31/18
to cerner-fhir...@googlegroups.com
    1. Request Method:
      GET
    2. Status Code:
      403 Forbidden
    3. Remote Address:
    4. Referrer Policy:
      no-referrer-when-downgrade
    1. Response Headers
        1. Access-Control-Allow-Methods:
          DELETE, GET, POST, PUT, OPTIONS, HEAD
        2. Access-Control-Allow-Origin:
          *
        3. Access-Control-Expose-Headers:
          ETag, Content-Location, Location, X-Request-Id, WWW-Authenticate, Date
        4. Access-Control-Max-Age:
          0
        5. Cache-Control:
          no-cache
        1. Content-Length:
          0
        2. Content-Type:
          text/html
        3. Date:
          Wed, 31 Oct 2018 15:07:18 GMT
        4. Server-Response-Time:
          17.789471000000002

        6. X-Request-Id:
          aedb3f09d32d9cbe2e6ff0ab164ae108

      Max Philips (Cerner)

      unread,
      Oct 31, 2018, 11:31:41 AM10/31/18
      to Cerner FHIR Developers
      I need only "
      X-Request-Id:
      aedb3f09d32d9cbe2e6ff0ab164ae108
      " and you should actually make sure to edit your post to remove the Bearer access token, since it contains sensitive material. See the rules on this group's home page for more information.

      The URL you sent that request to was a Condition search, and your access token does not include any Condition access scopes - this is why you are seeing a 403.

      Thanks,
      Max (Cerner)
      Reply all
      Reply to author
      Forward
      0 new messages