offline_access issue

[santhanam....@ggktech.com]

Hi, I'm facing an issue while registering provider-facing app on "https://code.cerner.com/developer/smart-on-fhir/apps" with offline_access scope. I gave Account ID:209ed314-9834-4624-af8d-f0eab262f2ed as system account GUID. But it throws an error "Error! Failed to register your SMART app. Please try again!". Kindly help me with this issue ASAP.

[Jenni Syed (Cerner)]

Hi,

We do not currently support provider facing applications accessing with offline_access, only patient facing applications can currently access the system with this scope. I'm not sure if this caused this error directly, but I don't believe it will allow you to register a provider access application with offline_access scope.

See here for more cosiderations about offline_access: http://fhir.cerner.com/authorization/#considerations-for-handling-offlineaccess

~ Jenni

[Kol Kheang (Cerner)]

Hi,

In addition to what Jenni said, you cannot use the same account ID for multiple apps.

Thanks,

Kol

[Santhanam Krishnasamy]

Now that the offline access is not applicable for our application , can you point us to the right direction or do you know any java framework that can help us for the cerner authorization.

Currently we generate the access token using this website "https://authz-demo.sandboxcerner.com/client/demo".

PS : Tried creating patient app type application for offline access, it failed as well.

[Jenni Syed (Cerner)]

The SMART specification is a profile on OAuth 2 and OpenID Connect - so I would look towards a java OAuth 2 client. I've used nimbus previously for OpenId/OAuth 2 (server side), but your milage may vary - no library I'm aware of implements SMART out of the box.

You may also want to try reaching out to the HAPI group (the java FHIR reference library) to see if they or other users of HAPI have any recommendations on libraries that will work well with their stack (assuming you're using the HAPI implementation). There may be previous posts in that group as well.

~ Jenni

[Brian Kenah]

Jenni - If we modified this to be a patient facing application (it is actually both, but primarily consumer-based), would that help?

Is it possible to change the application "type" after it has already been registered?

Thanks for the responses!

Brian

[Jenni Syed (Cerner)]

If it was patient facing, it could also use offline access (the users signing in would only be patients). 

Let me check on the changing type - I know there use to be a limitation preventing the existing owner of an app from deleting and re-add or changing type directly. I can see that there's a "deleted" application that was registered to you, so I do not think that someone else would be able to register a new app with that same id.

~ Jenni

[Kol Kheang (Cerner)]

Brian,

Modify app type after registered is not supported.  I'd recommend register 2 clients for your app so that you can use each client for each of your use case.

Thanks,

Kol

[Jenni Syed (Cerner)]

Brian -

Are you needing to flip your existing (deleted) account to active and make it patient facing? It looks like you'll just need 1 account if you need offline_access (since we don't allow this for provider)?

Or are you also wanting an online_access/"normal" provider-facing application?

~ Jenni

[ravishan...@ggktech.com]

Hi Kol

We are trying to register 2 clients;

1) For the provider (with online_access) app

2) For the patient (with offline_access) app

However - while trying to do step-2, registering patient app - we are facing below-mentioned error.

Please help us in getting this issue resolved.

Error! Failed to register your SMART app. Please try again!

Thanks

Ravi

[ravishan...@ggktech.com]

Hi Jenni

For now - we are trying to create 2 separate clients.

1) For the provider (with online_access) app

2) For the patient (with offline_access) app

However, while registering the patient app with the system account id provided - we are not able to proceed with the below-mentioned error.

Error! Failed to register your SMART app. Please try again!

Thanks

Ravi

[Jenni Syed (Cerner)]

I had to manually clean up some of the data from the old app. Can you try again?

Also: FYI - Postman doesn't handle SMART's OAuth 2 request appropriately (it has to pass in additional headers). I noticed that the redirect originally pointed to postman.

~ Jenni

[ravishan...@ggktech.com]

Now we are able to register patient app successfully in code portal.

We are trying to build a java spring interface to consume Cerner services - like booking an appointment and retrieving the booked appointments.

Is it possible to have SMART OAuth without any browser or web page interaction?

As of now we are getting OAuth token manually from the Cerner demo app and interacting with Cerner API.

https://authz-demo.sandboxcerner.com/client/demo

Our aim is to automate the OAuth token generation process - however, due to multiple redirects while authentication we are unable to automate this process.

Can you please extend some help or any pointers on this?

Thank you in advance!

Thanks

Ravi

[Jenni Syed (Cerner)]

Ravi,

If you intend to have a patient signed in, they must authenticate, and the user/pass cannot go through the application (you cannot automate the token process).

If you do not have a user authenticated/using the application, you should look at using access on behalf of a system, which is not widely available in production right now. These also do not qualify as applications that access data on behalf of a patient, and must go through the code program.

~ Jenni

[ravishan...@ggktech.com]

Thanks Jenni for the details.

I want to try out the access on behalf of the system - however, I'm once again facing same error mentioned earlier while registering an app as a System app.

I have deleted the existing patient app which is using the system account for offline access and trying to create a new app type "System" in code portal.

Error! Failed to register your SMART app. Please try again!

Can you please once again manually do the clean up the data from the old app.

I'll check the access on behalf of the system after registering the app.

Thank you!

Thanks

Ravi

[Jenni Syed (Cerner)]

Done!

~ Jenni

[ravishan...@ggktech.com]

Thanks, Jenni. Now I'm able to register an app as "System" type of app.

I do understand the limitation of this being a feature available only in development but not in Production.

Thank you so much for all your help.

Thanks and regards

Ravi

On Wednesday, November 29, 2017 at 9:12:26 PM UTC+5:30, Jenni Syed (Cerner) wrote:

Done!

~ Jenni