request authorization

[nrusingha.be...@gmail.com]

Hi 

I am new to smart on fhir.

I have  my own application deployed.

here is the my local test project path

 http://localhost:9000/#/cerner-data  -->from here request generated

 http://localhost:9000/Epic-info          -->here i am trying to get 'code'

I have also client id: 4d2b761b-e192-4c4e-8326-f7d2c9feed56

Can anyone suggest me a proper way of request authorization

[Jenni Syed]

Hi,

You may want to take a look at the examples and workflows documented here: http://fhir.cerner.com/dstu2/authorization/

This also links out to the SMART website which has more information. Once you've reviewed that material, the app should start by discovering the authorization and token endpoints from the Conformance document on the server: http://fhir.cerner.com/dstu2/conformance/

I recommend using an existing OAuth or FHIR/SMART library if you can, since that will help ensure the specifications are being implemented without issues.

~ Jenni

[nrusingha.be...@gmail.com]

Thanks Jenni,

Now I am trying to get the access token by sending the auth code and when I use that auth code in the grant type, it is showing invalid grant type.

Can u help in sorting this out.

I have taken the token url from  the security section and added all the parameters of the grant type.

My full request url is like this:

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token?grant_type=authorization_code&code=67ec71b0-f152-484c-b011-84f2f75cb26b&client_id=f3014094-e2e3-4c3b-a170-3ff2a3cfff51&redirect_uri=http://localhost:9000/cerner-profile

Thanks

[Michele Mottini]

To get the token you should use a POST - i.e. POST

grant_type=authorization_code&code=67ec71b0-f152-484c-b011-84f2f75cb26b&client_id=f3014094-e2e3-4c3b-a170-3ff2a3cfff51&redirect_uri=http://localhost:9000/cerner-profile

to 

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token

  - Michele

   CareEvolution Inc

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-developers+unsub...@googlegroups.com.
To post to this group, send email to cerner-fhir-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/782e5c24-c989-4fc0-8fb0-a1fe095e196b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[nrusingha.be...@gmail.com]

Thanks Michele for your suggestion,

i am able to get the access token now, but in the documentation i cant get any url pattern to access the resource using access token.

can help me on it.

thanks

[Michele Mottini]

What are you trying to do exactly and what error(s) are you getting?

You should be able to do a GET for .../Patient/<id> (using the ID returned together with the token) passing the token in the Authentication header: 'Bearer xxxx' - where xxx is the token

  - Michele

  CareEvolution Inc

[Jenni Syed]

There are also examples on this page [1] that describe the available servers and examples under each resource (eg [2]) of calling the query in question.

[1] http://fhir.cerner.com/dstu2/#service-root-url

[2] http://fhir.cerner.com/dstu2/allergy-intolerance/#response (the "self" url in the response would show an example of the call that was issued)

[nrusingha.be...@gmail.com]

Hi

I want to access the resource by using the access token,

I am requesting in this way:

var secondUrl = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize";
request.get(secondUrl, {
  'auth': {
    'bearer': body.access_token  //<-- my access token
  },
  headers: {
    Accept : "application/json+fhir",
    "Content-Type": "application/json+fhir"
  }
}

The problem is I cant get the result.

Is the url correct? 

Thanks

[Jenni Syed]

The authorization endpoint doesn't require an authorization token. That URL will trigger a redirect for authentication, requiring you to enter credentials. See the "requesting authorization" section here where it describes this in detail: http://fhir.cerner.com/dstu2/authorization/#requesting-an-authorization-code

~ Jenni

[nrusingha.be...@gmail.com]

Hi Jenni,

I think you did not get me.

I want to use this http://fhir.cerner.com/dstu2/authorization/#using-an-access-token

I have already got Auth code and Access token but I could not get proper end point.

The code sample I am trying is like this:

var secondUrl = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize";
request.get(secondUrl, {
  'auth': {
    'bearer': body.access_token  //<-- my access token
  },
  headers: {
    Accept : "application/json+fhir",
    "Content-Type": "application/json+fhir"
  }
}

Thank you

[Michele Mottini]

It is not very clear what are you trying to do

The FHIR end point is the one you used initially to get the conformance - so you should use that to get FHIR resources

Not clear what is this supposed to be:

  'auth': {
    'bearer': body.access_token  //<-- my access token
  },

?

The authorization is an header

  - Michele

  CareEvolution Inc

I think you did not get me.

PS this is pretty rude

[nrusingha.be...@gmail.com]

Hi,

First of all I am sorry 

I think you did not get me.

PS this is pretty rude

 

in a flow of conversation I have replied, I apologize for it.

Thanks for your help.

[Jenni Syed]

Hey, 

Were you able to get the token and call the FHIR server? Or are you still having difficulty?

If you're still having difficulty, here's a very simple step-by-step that needs to be done (again, details on the links above if you need - feel free to ask questions where you're unsure of the documentation).

Assuming a SMART launch from the code portal:

1) GET the conformance document to get the Authorization and Token endpoints: https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/metadata?_format=json

2) Request an authorization using the URL discovered above (I'm assuming provider access):  GET https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?[all required parameters must be in query params, and include and scopes as well as the launch parameter that was sent to the application]

3) You'll be prompted to sign in - sign in with credentials provided in the code portal.

4) Assuming all is well, the application will be returned an authorization code. POST that along with other required parameters to the token url from conformance: https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token

5) The token should be returned from the call above (as well as the patient from your launch). Use this to GET a FHIR resource. EG, patient: https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Patient/[ID from token response]?_format=json. Make sure to include the token in the Authorization header.

~ Jenni

Cerner

[Abakash Samal]

Hello Jenni,

Thanks for the instructions below. I am working on a similar scenario and had questions.

I have created an app dstu2_webapp on the cerner portal with a client id and launch/redirect url.

The EHR launch scenario works fine for me using the "Begin Testing" button on the portal.

However the Standalone App launch scenario does not work when I start my web application as a 

standalone app without being launched from the EHR.

I got the cerner login page fine and it let me log in with the user/password on the portal. 

But my application fails in getting the authorization code. 

I am getting the response below with an error of "access_denied"

http://localhost:8080/CernerDstu2/index.html?state=31486250&error=access_denied&error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Ainvalid-request%2Finstances%2F0a996914-0330-448d-bfbe-86bc4ac35fbd%3Fpersona%3Dprovider%26client%3Dc87b07a7-382c-4548-b6a2-8e3d67e76dfb%26tenant%3D0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

Appreciate your help.

Thanks,

Ab

[Craig Hogan]

Hi Jenni, 

I think I am having the same issue as well.

Currently I cant get a token back.

I launch our webapp, get redirected to the millennium login and then returned to our app with a code.

This is where it gets a little tricky, I nearly always get a 400 error when I call the fhir token endpoint. All I am passing is; 

grant_type

code

clientId

redirect_URL 

The “code” is directly passed from the first API call, the error below is from fiddler:

 

HTTP/1.1 400 Bad Request

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: OPTIONS, POST

Access-Control-Allow-Headers: Content-Type, Authorization

Cache-Control: no-store

Pragma: no-cache

Cerner-Correlation-ID: 1fd243d0-6668-490e-973b-f9a054cb9004

Content-Type: application/json;charset=UTF-8

Content-Length: 308

 

Date: Thu, 12 Jan 2017 12:59:34 GMT

X-Cnection: close

Server: cloud_authorization_server1

Strict-Transport-Security: max-age=631138519; includeSubDomains

 

{"error":"invalid_grant","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Acode-invalid-or-expired/instances/1fd243d0-6668-490e-973b-f9a054cb9004?client=cbff8ccb-ee61-480a-9bd8-e3ab2395abbe&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca"}

 

I can see the error message is “code invalid or expired”, but its only just been created, so I guess I am missing something from the POST statement?

If this isnt the same sort of error I can start a new thread if thats easier.

thanks Jenni (and cerner team)

[Michele Mottini]

Can you show us exactly what are you POSTing (body, headers etc) ? Maybe that would give us an idea

  - Michele

  CareEvolution Inc

[Jenni Syed (Cerner)]

Abakash,

The error in the response states that the request is invalid. You can actually load that error_uri if you want to see a "pretty" page (you would need to url decode it). In this case, it won't really give you more info beyond invalid request (like what exactly is invalid).

Can you post an example of your POST? Are all the required parameters included in the body?

[Jenni Syed (Cerner)]

Craig,

It looks like the error in the response is a bit different than the other example. In this case, it's stating that the code that was sent in was invalid or expired. Did you immediately try to exchange the code you received?

~ Jenni

[Abakash Samal]

Hello Jenni,

Thanks for your help.

I am getting error when I try to get the authorization code.

My URL to get the authorzation code is below:

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?

response_type=code&

client_id=6c73c0a9-c6ec-4214-ad09-92891fbf9bd7&

aud=https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/&

scope=launch/patient,patient/Patient.read&

state=54084842&

redirect_uri=http://localhost:8080/CernerDstu2/index_standalone.html

After the GET call above I am directed to the FHIRPLAY login screen.

Then I get the error message with the code being undefined:

http://localhost:8080/CernerDstu2/index_standalone.html?

state=54084842&

error=access_denied&

error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Ainvalid-request%2Finstances%2F0fe7ac0e-9cf8-4d91-abd1-9ff6ba62e326%3Fpersona%3Dprovider%26client%3D6c73c0a9-c6ec-4214-ad09-92891fbf9bd7%26tenant%3D0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

Thanks,

-Abakash

[Craig Hogan]

Hi, 

Yes I did, its passed back straight away to the token endpoint.

cheers

craig

[Abakash Samal]

After the login from Cerner Milleniumn login screen, there should be a redirect to index_standalone.html with a valid

state and code as request parameters. But only state is valid and code is undefined.

As a result the POST request within index_standalone.html to fetch access token is giving the 400 Invalid request.

[Jenni Syed (Cerner)]

Abakash,

The list of scopes must be space separated (not comment) and you will want to ensure you are escaping all of your parameters as well (ie: percent encoding the reserved or invalid URL characters like forward slash and space). The reason the app is not getting a code is because it's getting an error since the request was invalid.

~ Jenni

[Jenni Syed (Cerner)]

Craig,

Does this always occur? Or did it only occur the one time? If always, can you post an example of your auth response and resulting token request?

Thanks,

Jenni

On Thursday, January 19, 2017 at 9:34:58 AM UTC-6, Craig Hogan wrote:

[Jenni Syed (Cerner)]

Note, that was supposed to be "the list of scopes must be space separated (not comma)..."

[Abakash Samal]

Hi Jenni,

Should I be URL encoding the entire request url string? The entire URL encoded string is shown below:

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?

response_type%3Dcode%26

client_id%3D6c73c0a9-c6ec-4214-ad09-92891fbf9bd7%26

scope%3Dpatient%2FPatient.read%26

aud%3Dhttps%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca%26

state%3D42045291%26

redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8080%2FCernerDstu2%2Findex_standalone.html

Also I removed the launch in the scope section. Just using one scope i.e. patient/Patient.read for now.

But now I get the cerner error message below saying request was not syntactically valid.

Information to provide to Technical Support

Correlation ID

d70affd2-0fc1-479b-8188-d0fdd88c020b

Information to provide to UNKNOWN_APP

The authorization request was not syntactically valid. Check to make sure the client_id, scopes, and response_type values are correct.

Error Code

urn:cerner:error:authorization-server:oauth2:grant:invalid-request

[Michele Mottini]

No, as in all URL you should encode only the parameter values (and parameter names if they contain special characters - that is not the case here

  - Michele

  CareEvolution Inc

[Abakash Samal]

Partial URL encoding string takes me to the cerner FHIRPLAY login screen. 

I enter userid/pwd as provider/provider. 

However, It does not redirect with a valid authorization code.

Again thanks for your help. But I am not sure if this is going to work.

Partial URL encoded - encoding only the request parameter values:

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?

response_type=code&

client_id=6c73c0a9-c6ec-4214-ad09-92891fbf9bd7&

scope=patient%2FPatient.read&

aud=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca&

state=32782660&

redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FCernerDstu2%2Findex_standalone.html

[Michele Mottini]

What is in the redirect URL? No code? an error? Or a code that is not valid? And if so - how do you know that it is not valid? Tried to get a auth token with it?

  - Michele 

  CareEvolution Inc

[Abakash Samal]

Thanks for your help Michelle.

The redirect URL after encoding is as below:

redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FCernerDstu2%2Findex_standalone.html

The provider app in cerner portal has the redirect url :

Redirect URI: http://localhost:8080/CernerDstu2/index_standalone.html

As per my understanding if my login is successful, cerner should redirect to url above

with a valid state and auth code. But when I print the auth code it gets printed as "undefined"

My console logs show the values as below:

index***** state:87286149

index***** code:undefined

When I continue to use the code as above to get auth token, I get a 400 error.

[Michele Mottini]

The provider app in cerner portal has the redirect url :

Redirect URI: http://localhost:8080/CernerDstu2/index_standalone.html

As per my understanding if my login is successful, cerner should redirect to url above

with a valid state and auth code.

Yes, can you please show us the complete actual URL you are getting redirected to? 

  - Michele

  CareEvolution Inc

[Abakash Samal]

The complete URL being redirected to is as below with message saying "access_denied". 

Only the state is passed as parameter but not code. Also there is an error message.

I am using the userid/password as provider/provider as provided by the portal but not sure why the access is denied.

http://localhost:8080/CernerDstu2/index_standalone.html?

state=23814330&

error=access_denied&

error_uri=https%3A%2F%2Fauthorization.sandboxcerner.com%2Ferrors%2Furn%253Acerner%253Aerror%253Aauthorization-server%253Aoauth2%253Agrant%253Ainvalid-request%2Finstances%2Fc00dcc09-bb2f-4855-9149-0ab6fdeffe81%3Fpersona%3Dprovider%26client%3D6c73c0a9-c6ec-4214-ad09-92891fbf9bd7%26tenant%3D0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

[Abakash Samal]

The error_uri seems have the message "Invalid Request"

But what's wrong with my reques url?

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?

response_type=code&

client_id=6c73c0a9-c6ec-4214-ad09-92891fbf9bd7&

scope=patient/Patient.read&

aud=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca&

state=95671641&

redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FCernerDstu2%2Findex_standalone.html

[Michele Mottini]

The scope is not URL encoded

  - Michele

  CareEvolution Inc 

[nrusingha.be...@gmail.com]

Hi Abakash,

In your provider facing app what are the scopes are selected?

In my case I am getting auth code in almost all user scope.

I have modified your url, put some parameters according to your configuration and test in the browser, you can find the code in the response url.

Try it:

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?response_type=code&client_id=<your client_id>&aud=https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca&scope=user/Appointment.read&redirect_uri=<your redirect_url>

Thanks 

[Abakash Samal]

My provider app has the following scope:

Patient Scopes:

patient/Patient.read

I have just one Patient scope selected. No User scopes selected.

[Abakash Samal]

Hi nrusingha,

You are right. If I create a new provider app with only user scope for patient, it works, ie. user/Patient.read

Thank you.

Don't know why it wouldn't work with patient/Patient.read scope?

On Thursday, January 19, 2017 at 11:20:39 PM UTC-6, nrusingha.be...@gmail.com wrote:

[Jenni Syed (Cerner)]

Hi Abakash,

The patient scopes only work when you're doing a SMART launch and have a patient in context because they limit access to the data of a single patient. If you're launching your application from the code portal, then your application also needs to pass in the "launch" scope and the launch code that was passed to the application during launch.

If the application isn't supporting a SMART launch, there won't be a patient in context, and thus the patient/* scopes won't apply.

~ Jenni

[Abakash Samal]

Makes sense now. Thanks Jenni.

[nrusingha.be...@gmail.com]

Hi Jenni,

I got the token using this url: 

var tokenUrl = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token"

the token json is like this:

{"access_token":"-- token code --","scope":"user/Observation.read","token_type":"Bearer","expires_in":570}

and I am getting details using this url:

var url = "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Observation?subject%3APatient=3998008"

which returns a Json containing details about one patient (the one with patient code in the url).

Can you please explain how can I get list containing patient codes, 

[Jenni Syed (Cerner)]

When you say you want the list containing patient codes - are you just asking for a list of patients? If so, you can search patient by identifier (MRN etc) "in real life." If you're only trying to do this for testing in sandbox, use our open endpoint to find patients for testing [1], or check out our test patient list [2].

In production, currently most applications will launch in context. For example, from a patient's chart (and thus be restricted to that data) or by having the Patient themselves sign in, and requesting the launch/patient scope in order to have the user choose the patient that will be accessed. The other very likely use case is system to system, in which case, the other system often has a patient identifier that they can search by.

We'll be adding full patient search to non-smart launched applications, it just isn't available yet since most of our production applications have required other access methods.

[1] http://fhir.cerner.com/dstu2/patient/#search

[2] https://groups.google.com/d/msg/cerner-fhir-developers/edPUbVPIag0/LgD4mGTXBAAJ

~ Jenni

[Craig Hogan]

Hi Jenni, 

Sorry its taken a while to get back to you.

Sign in URI

https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A53046%2Ffhir%2Fcallback&client_id=cbff8ccb-ee61-480a-9bd8-e3ab2395abbe&scope=launch%2FPatient%2Cpatient%2FPatient%2Cuser%2FAppointment.read&response_type=code&launch=9e444e13-3cbe-4264-a72e-47343bb32421grant_type=authorization_code&aud=https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

I end up here the first time to login

https://millennia.sandboxcerner.com/accounts/fhirplay.temp_rho.cernerasp.com/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/login/1737c3d9-b1b5-4856-b4f1-6015fe5f17f8/login

After login success we hit

https://millennia.sandboxcerner.com/accounts/fhirplay.temp_rho.cernerasp.com/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/login/1737c3d9-b1b5-4856-b4f1-6015fe5f17f8/return

my app is called back with a code passed in = 95196daa-c5ed-4972-9c5c-8e5f70fec48a

Then the trace looks like this:

Fiddler OUT

POST https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token?response_type=code&client_id=cbff8ccb-ee61-480a-9bd8-e3ab2395abbe&code=95196daa-c5ed-4972-9c5c-8e5f70fec48a&grant_type=authorization_code&redirect_uri=http://localhost:9000/cerner-profile HTTP/1.1

Host: authorization.sandboxcerner.com

Content-Type: application/x-www-form-urlencoded

Content-Length: 0

Fiddler RESPONSE

HTTP/1.1 400 Bad Request

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: OPTIONS, POST

Access-Control-Allow-Headers: Content-Type, Authorization

Cache-Control: no-store

Pragma: no-cache

Cerner-Correlation-ID: 8d2d5f1b-e8ef-4164-803d-f79953ee7334

Content-Type: application/json;charset=UTF-8

Content-Length: 312

Date: Wed, 25 Jan 2017 22:34:10 GMT

X-Cnection: close

Server: cloud_authorization_server1

Strict-Transport-Security: max-age=631138519; includeSubDomains

{"error":"invalid_request","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Acode-invalid-redirect-uri/instances/8d2d5f1b-e8ef-4164-803d-f79953ee7334?client=cbff8ccb-ee61-480a-9bd8-e3ab2395abbe&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

I can see it says "code invalid redirect uri" but I dont understand what that means or how I can make it right?

thanks in advance for any help.

craig

[Kol Kheang (Cerner)]

Hi Craig,

The redirect_uri that is currently associated with this client cbff8ccb-ee61-480a-9bd8-e3ab2395abbe is http://localhost:53046/fhir/callback.  However, in your POST below you specified this URI as the redirect_uri: http://localhost:9000/cerner-profile.

Thanks,

Kol

[Craig Hogan]

Hi Kol,

That was a copy/paste error, that wasn't causing the issue directly, but it did make me look a little harder at the string being sent in and the answer is annoyingly simple.

The callback URL I have registered with the app is /calback/ however I was send it to the the API as /callBack/

The capitalisation was the issue, very simple and very annoying issue, makes sense to fail it from the API as its technically incorrect and one I should have checked earlier.

thanks for the help guys.

[nrusingha.be...@gmail.com]

Hi Craig,

are you able to get patient info after getting access token?

if yes, can you post your url to get the resource?

I have to verify the same with mine to check am I going right !!!

Thanks guys.

[莫欺少年qiong]

Hi Kol 

The url :https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?

client_id=02aa1e54-a041-419b-a87b-7bab99c1dddf&

response_type=code&

scope=user%2FPatient.read%20launch%20online_access%20openid%20profile&

redirect_uri=https%3A%2F%2Fe3f6b03c.ngrok.io%2Fcerner%2FlaunchPatient%2F&

state=24a2a12d-22e7-45bd-b361-3fb1cbd396ab&

aud=https%3A%2F%2Ffhir-ehr.sandboxcerner.com%2Fdstu2%2F0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca&

launch=ac971ca8-e3db-4ddb-ba3e-626e7f260cab

The url always redirect to

https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Agrant%3Ainvalid-redirect-uri-trailing-slash/instances/10191cf5-a4df-4a6c-af50-8df4aa343049?persona=provider&client=02aa1e54-a041-419b-a87b-7bab99c1dddf&tenant=0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

The page shows the info :

Error Code:

urn:cerner:error:authorization-server:oauth2:grant:invalid-redirect-uri-trailing-slash

[Benjamin Eichhorn (Cerner)]

Hi,

Per our group guidelines, could you please open up a new thread for your question or issue?

Thank you,

Ben (Cerner)