[Requesting Authorization on Behalf of a System] urn:cerner:error:authorization-server:oauth2:token:empty-scopes

[Louis Nguyen]

Hi Cerner,

Our perspective is to integrate our system with your system using APIs.

I think "Requesting Authorization on Behalf of a System" is a proper way for authorization.

For your document, I tried with curl.

Request

I hid the secret.

export SYSTEM_ACCOUNT_CLIENT_ID="ed9830bd-07b8-475c-b756-1813511c6262"

export SYSTEM_ACCOUNT_CLIENT_SECRET="my secret"

curl -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \

-H 'Accept: application/json' \

-H "Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)" \

-H 'Content-Type: application/x-www-form-urlencoded' \

-H 'cache-control: no-cache' \

-d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

Response

{

    "error": "unauthorized_client",

    "error_uri": "https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aempty-scopes/instances/3928517d-a8b1-40c2-bc4c-d5c14fc494d3?client=ed9830bd-07b8-475c-b756-1813511c6262&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"

}

By opening the error URI, it shows an invalid application that was created by us.

Would you help us on

- Empty scopes issue: where can we manage these scope?

- Likely, the system is pointing to an invalid application.

Best Regards,

[Louis Nguyen]

By the way, I cannot create a system app

Error message: Error! Failed to register your SMART app. Please try again!

[Kol Kheang (Cerner)]

Hello,

This system app is already registered, and cannot be re-registered again with the same system account. I can see that this app currently has system/Account.read scope. However, in the request above, the scopes sent are system/Observation.read and system/Patient.read. Since the app does not have these scopes registered, the server responded with an empty scope errors.

My recommendation is to update this app and select additional scopes that are needed such as system/Patient.read and system/Observation.read.

Regards,

Kol

[Louis Nguyen]

Excellent, Kol Kheang!

I can get the access token now.

On the Code, I only see provider apps. I don't see system app or apps that were created fail.

Would you help us a way to see and manage system app and failed app.

For example:

There is a system app - "Clearwave Dev Demo", but I don't see it in the My Apps tab.

[Louis Nguyen]

Hi Kol Kheang,

The way our application will communicate with the Cerner system. They will be using APIs.

Would you help us to clarify some concerns!

1. Authorization strategy

Likely, the "Requesting Authorization on Behalf of a System" is the only way in this case.

2. Each hospital/practice has his/her tenant Id

Where shall we get this value?

For example, we have an account id "ed9830bd-07b8-475c-b756-1813511c6262" in the Cerner system, so what is our tenant id? :) 

From your document, I see an URL: 

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token
I think "ec2458f2-1e24-41c8-b71b-0e701af7583d" is a tenant id. Is it correct?

3. Will Clearwave use its system app + practice's tenant Id to request API?

4. Will Clearwave use practice's credentials (tenant id, client id, client secret, scope) to request API? 

Best Regards,

[Louis Nguyen]

Hi Cerner team,

Would you help us!

[Kol Kheang (Cerner)]

Hello!

I'll try to answer your questions.

1. If the app is meant to be interacting with the systems without any user interaction, then what you have listed is the right approach.

2. Correct. Each hospital/practice will have its own unique tenant identifier. For example, "ec2458f2-1e24-41c8-b71b-0e701af7583d" is the tenant identifier for "Sandbox". You can work with us or the hospital/practice to obtain the tenant identifier.

3. Yes, the tenant identifier will be part of the URL. The system account and the secret for the system app is used as an authorization when making API calls.

4. The system app has its own credential to request for an access token from the authz server. The app will need to supply the tenant id, client id, secret, scopes and other information to request for an access token. The system app has to be provisioned for a specific tenant in order to access data and make any API call related to that tenant. Please check out the documentation here for further info.

Thanks,

Kol

[Louis Nguyen]

Hi Kol Kheang,

It is more clear now! :)

Thank you so much!

[Quốc Hùng Thi]

Hi Kol Kheang,

I would like to ask does system account or system app comes with the tenant ID? 

If there is, how can we get it and what is our account tenant ID?

Our account ID is "ed9830bd-07b8-475c-b756-1813511c6262"

Thanks,

Hung  

[Fenil Desani (Cerner)]

System Account - Refers to your account which hosts your AccountID and Secret

System App - Your FHIR App to make API calls

TenantID - A unique identifier identifying each each hospital system/domain

TenantID for our public Sandbox: ec2458f2-1e24-41c8-b71b-0e701af7583d

If you are directly integrating with a client, please work through the client to get the tenantID or ask them to log a ticket to Cerner.

If you are part of the CODE program, please reach out through your CODE contacts or through uCern to get specific TenantIds.

[Louis Nguyen]

Hi Cerner team,

Regarding pricing models, do we have pages or documents for that?

We are evaluating the cost.

Thanks,

[Fenil Desani (Cerner)]

Those can be found at https://code.cerner.com/apiaccess

[Louis Nguyen]

Hi,

I am sorry, I don't found my case on that page.

We are utilizing APIs of https://fhir.cerner.com/millennium/overview/ to sync data between our system and the Cerner system.

I am not sure whether our app will be a provider app, won't it?

Would you help me with this case!

[Fenil Desani (Cerner)]

If there is no end-user interaction, and the App makes B2B calls, then you have a System App.
The provider use case would apply for a System App.

[Louis Nguyen]

Thank you for your answer, Fenil!

[Louis Nguyen]

Hi, Fenil again :)

From the page API Access and Fees, we focus on two sessions:

- Cerner Ignite APIs for provider access app developers
- Connecting a provider access app

Whether the first is talking about fee, last one talks about the official process that must be completed before using the Cerner APIs?

Thanks,

[Louis Nguyen]

Hi Cerner,

Would you please help me on the previous email!

[Fenil Desani (Cerner)]

Hello,

The fee information and overview can be found on Cerner Ignite APIs for provider access app developers

If you need to join the code Program, you can refer https://code.cerner.com/submit