Authorization on Behalf of a System not working

[Michal Hadrava]

Hi,

I'm trying to get an access token on behalf of a system as described here: 

http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

However, when running the following example from the documentation with my System account ID and client secret:

curl -X POST 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \

  -H 'Accept: application/json' \

  -H "Authorization: Basic $(echo -n 7a58ef27-bc6e-4083-9eed-36c6a4b552f1:secret | base64)" \

  -H 'Content-Type: application/x-www-form-urlencoded' \

  -H 'cache-control: no-cache' \

  -d 'grant_type=client_credentials&scope=system%2FObservation.read%20system%2FPatient.read'

I'm getting the following error:

{"error":"invalid_scope","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Aempty-scopes/instances/c144a01c-5b4a-4974-a87c-74661a88921a?client=7a58ef27-bc6e-4083-9eed-36c6a4b552f1&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}

My registered app ("******* - System access") has all the possible accesses enabled, so what am I doing wrong?

Thanks!

Michal

[Fenil Desani (Cerner)]

Hello Michal,

Your App has all the User and Patient level scopes and looks to be registered as a Provider App.

How did you register the App?

Thanks,
Fenil