[Requesting Authorization on Behalf of a System] urn:cerner:error:authorization-server:oauth2:token:empty-scopes

240 views
Skip to first unread message
Assigned to Fenil....@cerner.com by me

Louis Nguyen

unread,
Sep 14, 2021, 10:48:28 AM9/14/21
to Cerner FHIR Developers
Hi Cerner,

Our perspective is to integrate our system with your system using APIs.

I think "Requesting Authorization on Behalf of a System" is a proper way for authorization.

For your document, I tried with curl.
Request
I hid the secret.

export SYSTEM_ACCOUNT_CLIENT_ID="ed9830bd-07b8-475c-b756-1813511c6262"
export SYSTEM_ACCOUNT_CLIENT_SECRET="my secret"

-H 'Accept: application/json' \
-H "Authorization: Basic $(echo -n $SYSTEM_ACCOUNT_CLIENT_ID:$SYSTEM_ACCOUNT_CLIENT_SECRET | base64)" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

Response

By opening the error URI, it shows an invalid application that was created by us.

Would you help us on
- Empty scopes issue: where can we manage these scope?
- Likely, the system is pointing to an invalid application.

Best Regards,

Louis Nguyen

unread,
Sep 14, 2021, 11:00:05 AM9/14/21
to Cerner FHIR Developers
By the way, I cannot create a system appCerner - Cannot create a system app.png

Error message: Error! Failed to register your SMART app. Please try again!

Kol Kheang (Cerner)

unread,
Sep 14, 2021, 12:46:20 PM9/14/21
to Cerner FHIR Developers
Hello,

This system app is already registered, and cannot be re-registered again with the same system account. I can see that this app currently has system/Account.read scope. However, in the request above, the scopes sent are system/Observation.read and system/Patient.read. Since the app does not have these scopes registered, the server responded with an empty scope errors.

My recommendation is to update this app and select additional scopes that are needed such as system/Patient.read and system/Observation.read.


Regards,
Kol

Louis Nguyen

unread,
Sep 14, 2021, 10:21:07 PM9/14/21
to Cerner FHIR Developers
Excellent, Kol Kheang!

I can get the access token now.

On the Code, I only see provider apps. I don't see system app or apps that were created fail.
Would you help us a way to see and manage system app and failed app.

For example:
There is a system app - "Clearwave Dev Demo", but I don't see it in the My Apps tab.
Screen Shot 2021-09-15 at 09.16.45.png

Message has been deleted

Louis Nguyen

unread,
Sep 15, 2021, 5:51:38 AM9/15/21
to Cerner FHIR Developers
Hi Kol Kheang,

The way our application will communicate with the Cerner system. They will be using APIs.
Screen Shot 2021-09-15 at 16.40.52.png
Would you help us to clarify some concerns!

1. Authorization strategy
Likely, the "Requesting Authorization on Behalf of a System" is the only way in this case.

2. Each hospital/practice has his/her tenant Id
Where shall we get this value?
For example, we have an account id "ed9830bd-07b8-475c-b756-1813511c6262" in the Cerner system, so what is our tenant id? :) 

From your document, I see an URL: 
https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token
I think "ec2458f2-1e24-41c8-b71b-0e701af7583d" is a tenant id. Is it correct?

3. Will Clearwave use its system app + practice's tenant Id to request API?

4. Will Clearwave use practice's credentials (tenant id, client id, client secret, scope) to request API? 

Best Regards,

Louis Nguyen

unread,
Sep 15, 2021, 10:22:46 PM9/15/21
to Cerner FHIR Developers
Hi Cerner team,

Would you help us!

Kol Kheang (Cerner)

unread,
Sep 16, 2021, 3:58:25 PM9/16/21
to Cerner FHIR Developers
Hello!

I'll try to answer your questions.

1. If the app is meant to be interacting with the systems without any user interaction, then what you have listed is the right approach.
2. Correct. Each hospital/practice will have its own unique tenant identifier. For example, "ec2458f2-1e24-41c8-b71b-0e701af7583d" is the tenant identifier for "Sandbox". You can work with us or the hospital/practice to obtain the tenant identifier.
3. Yes, the tenant identifier will be part of the URL. The system account and the secret for the system app is used as an authorization when making API calls.
4. The system app has its own credential to request for an access token from the authz server. The app will need to supply the tenant id, client id, secret, scopes and other information to request for an access token. The system app has to be provisioned for a specific tenant in order to access data and make any API call related to that tenant. Please check out the documentation here for further info.


Thanks,
Kol

Louis Nguyen

unread,
Sep 16, 2021, 11:23:04 PM9/16/21
to Cerner FHIR Developers
Hi Kol Kheang,

It is more clear now! :)

Thank you so much!

Quốc Hùng Thi

unread,
Sep 17, 2021, 5:29:38 AM9/17/21
to Cerner FHIR Developers
Hi Kol Kheang,

I would like to ask does system account or system app comes with the tenant ID? 
If there is, how can we get it and what is our account tenant ID?
Our account ID is "ed9830bd-07b8-475c-b756-1813511c6262"

Thanks,
Hung  

Fenil Desani (Cerner)

unread,
Sep 22, 2021, 10:28:24 AM9/22/21
to Cerner FHIR Developers
System Account - Refers to your account which hosts your AccountID and Secret
System App - Your FHIR App to make API calls
TenantID - A unique identifier identifying each each hospital system/domain

TenantID for our public Sandbox: ec2458f2-1e24-41c8-b71b-0e701af7583d
If you are directly integrating with a client, please work through the client to get the tenantID or ask them to log a ticket to Cerner.
If you are part of the CODE program, please reach out through your CODE contacts or through uCern to get specific TenantIds.

Message has been deleted

Louis Nguyen

unread,
Sep 27, 2021, 12:34:19 AM9/27/21
to Cerner FHIR Developers
Hi Cerner team,

Regarding pricing models, do we have pages or documents for that?
We are evaluating the cost.

Thanks,

Fenil Desani (Cerner)

unread,
Sep 27, 2021, 12:09:38 PM9/27/21
to Cerner FHIR Developers
Those can be found at https://code.cerner.com/apiaccess

Louis Nguyen

unread,
Sep 27, 2021, 11:00:24 PM9/27/21
to Cerner FHIR Developers
Hi,

I am sorry, I don't found my case on that page.

We are utilizing APIs of https://fhir.cerner.com/millennium/overview/ to sync data between our system and the Cerner system.
I am not sure whether our app will be a provider app, won't it?

Would you help me with this case!

Fenil Desani (Cerner)

unread,
Sep 28, 2021, 9:37:02 AM9/28/21
to Cerner FHIR Developers
If there is no end-user interaction, and the App makes B2B calls, then you have a System App.
The provider use case would apply for a System App.

Louis Nguyen

unread,
Sep 28, 2021, 9:39:08 PM9/28/21
to Cerner FHIR Developers
Thank you for your answer, Fenil!

Louis Nguyen

unread,
Sep 29, 2021, 4:30:01 AM9/29/21
to Cerner FHIR Developers
Hi, Fenil again :)

From the page API Access and Fees, we focus on two sessions:

Whether the first is talking about fee, last one talks about the official process that must be completed before using the Cerner APIs?

Thanks,

Louis Nguyen

unread,
Sep 29, 2021, 10:12:34 PM9/29/21
to Cerner FHIR Developers
Hi Cerner,

Would you please help me on the previous email!

Fenil Desani (Cerner)

unread,
Sep 30, 2021, 10:50:08 AM9/30/21
to Cerner FHIR Developers
Hello,

The fee information and overview can be found on Cerner Ignite APIs for provider access app developers
If you need to join the code Program, you can refer https://code.cerner.com/submit 

Reply all
Reply to author
Forward
0 new messages