Using on-befalf-of-system authorization with Sandbox, getting urn:cerner:error:authorization-server:oauth2:token:invalid-tenant

[Dmitry Lipin]

Hello Cerner Team,

I'm trying to follow authorization on behalf of a system use case.

https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

I have created a system account in Sandbox Cerner Central:

https://sandboxcernercentral.com/system-accounts/

I've also created new application in Sandbox Code Console and provided system account's ID (as Client ID) when creating this application. This application was created with System type and I've selected Millennium product family with both FHIR R4 and DSTU APIs. I've selected all API Access options that were available.

https://code-console.sandboxcerner.com/console/apps

I'm trying to get access token for the following FHIR environment:

https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d

to find token URL, I've obtained the metadata URL using the following command:

curl -H 'Accept: application/json' https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/metadata

That gave me the following Token URL:

TOKEN URL      = https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token

I'm trying to get access token:
curl -v -X POST https://authorization.sandboxcerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token -H 'Accept: application/json' -H 'Authorization: Basic <base64-of-system-account-clientid:client-secret>' -H 'Content-Type: application/x-www-form-urlencoded' -H 'cache-control: no-cache' -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'


As the result I'm getting the following error:
{"error":"invalid_grant","error_uri":"https://authorization.sandboxcerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-tenant/instances/063a538f-8b40-461b-ba00-7e39311c4924?client=xxx&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}

Correlation ID: 063a538f-8b40-461b-ba00-7e39311c4924

Opening that error_uri shows the following error:

Information to provide to <appName>

The tenant requested is not registered.

Error Code:

urn:cerner:error:authorization-server:oauth2:token:invalid-tenant

What does that error mean and how to fix it? Is there some step that I've missed while setting up system account or application? Where and how do I need to register the tenant?

I've waited for 15 minutes after initial creation of the application before first attempt of requesting access token.

Thanks,

Dmitry Lipin

[Ralph Rostock]

I'm having essentially the same problem; following.

[Dmitry Lipin]

I was advised to request production system account (and related application in Code Console) to access  FHIR secured sandbox

https://cernercentral.com/system-accounts/

https://code-console.cerner.com/console/apps

https://fhir-ehr.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d

I could make everything work so far after that.


Thanks,

Dmitry

вторник, 1 ноября 2022 г. в 07:02:46 UTC-7, Ralph Rostock:

[Dmitry Lipin]

See also:

https://groups.google.com/g/cerner-fhir-developers/c/0aW7IUoP4_c/m/AmMbuW1cAQAJ

Thanks,

Dmitry

вторник, 1 ноября 2022 г. в 23:12:39 UTC-7, Dmitry Lipin:

[Aaron McGinn (Oracle Cerner)]

As mentioned in the other thread (reposting summary here for future reference), the domains you initially attempted to call were all sandboxcerner*.com, but the "public sandbox" (tenant: ec2458f2-1e24-41c8-b71b-0e701af7583d) is registered in the production region to reflect a client production environment. As such, the URLs should be cerner*.com (no 'sandbox').

Where did you initially find the references to the sandbox URLs? I'd like to make sure our documentation is up to date and unambiguous!

-Aaron (Oracle Cerner)