Request failing with 403 due to 'insufficient scope'
385 views
Skip to first unread message
Assigned to Fenil....@cerner.com by me
Michele Mottini
Nov 11, 2021, 2:24:09 PM11/11/21
to Cerner FHIR Developers, Haritha Menta
Hi,
and indeed the access token comes from a refresh token operation that did not return the patient/RelatedPerson.read . .. but the strange thing is that we did not have this error on the first connection, so it appears that refreshing the token sometimes grants less scopes than the original authorization?
we had some failures like this from Indiana University Health:
- When : 11/10/2021 12:21:43 PM -05:00
- Resource : RelatedPerson
- Request : GET https://fhir-myrecord.cerner.com/dstu2/4ek42qnrCibOKYPH3Swwzqc3pT1bonJw/RelatedPerson?patient=3938235
- Response status code : 403
- Response headers
- Response :
{ "resourceType": "OperationOutcome", "issue": [ { "severity": "error", "code": "forbidden", "diagnostics": "Bearer realm=\"fhir-myrecord.cerner.com\", error=\"insufficient_scope\"", "location": [ "http.Authorization" ] } ] }
Thanks
Cheers
- Michele
CareEvolution
Justin Tubbs
Nov 11, 2021, 3:53:15 PM11/11/21
to Cerner FHIR Developers
Michele,
(2) Things to take a look at on your side:
1) Your https://code.cerner.com/developer/smart-on-fhir/apps SMART on FHIR App page...ensure that the User/Patient/System scopes you desire for FHIR Resources are properly configured there
2) Your /token request's response payload will indicate the list of "scopes" that the "access_token" can be used for. Make sure that listing matches, otherwise there is nothing Cerner can do to help you out. To fix with a Provider app, make sure your Redirect Url has the correct list of "scopes" configured. To fix with a System app, make sure your list of "scopes" that is sent to the /token endpoint matches what you have in the code.cerner.com/developer/smart-on-fhir/apps page for your application.
If you've done both of these, and everything on your side has been configured appropriately, then time to enter a Service Record (SR) using the eservice.cerner.com web portal. I've had scenarios where I was using the FHIR Sandbox/CernerSandbox and changes made to the code.cerner.com SMART on FHIR App page to my "scopes" had to be MANUALLY applied by Cerner associates (there was no automation to do this within 15 minutes like there is for production applications that do NOT use the Sandbox)
Justin
1) Your https://code.cerner.com/developer/smart-on-fhir/apps SMART on FHIR App page...ensure that the User/Patient/System scopes you desire for FHIR Resources are properly configured there
2) Your /token request's response payload will indicate the list of "scopes" that the "access_token" can be used for. Make sure that listing matches, otherwise there is nothing Cerner can do to help you out. To fix with a Provider app, make sure your Redirect Url has the correct list of "scopes" configured. To fix with a System app, make sure your list of "scopes" that is sent to the /token endpoint matches what you have in the code.cerner.com/developer/smart-on-fhir/apps page for your application.
If you've done both of these, and everything on your side has been configured appropriately, then time to enter a Service Record (SR) using the eservice.cerner.com web portal. I've had scenarios where I was using the FHIR Sandbox/CernerSandbox and changes made to the code.cerner.com SMART on FHIR App page to my "scopes" had to be MANUALLY applied by Cerner associates (there was no automation to do this within 15 minutes like there is for production applications that do NOT use the Sandbox)
Justin
Fenil Desani (Cerner)
Nov 19, 2021, 4:11:18 PM11/19/21
to Cerner FHIR Developers
Hello Michele,
Can you provide the X-request-i for the failure?
Thanks,
Fenil
Reply all
Reply to author
Forward
0 new messages