Skip to first unread message
divya korangi
Oct 3, 2017, 4:59:35 PM10/3/17
to Cerner FHIR Developers
If this is a question about an error or issue you are seeing, please fill out the following fields:
- Issue Summary: (include links to documentation, and describe what you've tried so far. Do NOT include request or response bodies unless this is from our public sandbox)
- X-Request-Id or CorrelationId: (from Response or Error Message)
Hi,
I am trying to get Access token for System to get Patient Detail (http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system)
Request:
Host: authorization.sandboxcerner.com
Authorization: Basic base64(clientid:secret)
Accept: application/json
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=system/Patient.read
Authorization: Basic base64(clientid:secret)
Accept: application/json
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=system/Patient.read
Response:
I get this response -
Error code- 504
ReadResponse() failed: The server did not return a complete response for this request. Server returned 0 bytes.
I do not see any correlationId in the response
I get the access token when I test the connection from the system account. I get this error when I use a web debugging tool like Fiddler to send the request in the above format.
Can you please suggest what could I be doing wrong here?
Thanks,
Divya
divya korangi
Oct 6, 2017, 3:19:24 PM10/6/17
to Cerner FHIR Developers
When i try in the format the request is sent as test through the system account -
GET /oauth/access?oauth_consumer_key=<client_id>&oauth_signature_method=PLAINTEXT&oauth_timestamp=1507058575&oauth_nonce=1630501083269071&oauth_version=1.0&oauth_signature=<secret> HTTP/1.1
Connection: Keep-Alive
i get the error -
HTTP/1.1 502 Fiddler - Connection Failed
Date: Fri, 06 Oct 2017 19:18:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache, must-revalidate
Timestamp: 14:18:31.304
[Fiddler] The connection to 'api.sandboxcernercare.com' failed. <br />Error: ConnectionRefused (0x274d). <br />System.Net.Sockets.SocketException No connection could be made because the target machine actively refused it 159.140.206.157:80
Jenni Syed (Cerner)
Oct 6, 2017, 3:44:01 PM10/6/17
to Cerner FHIR Developers
Divya,
What is your app id (not client id) listed as in the code portal?
~ Jenni
~ Jenni
divya korangi
Oct 6, 2017, 3:46:42 PM10/6/17
to cerner-fhir...@googlegroups.com
App Id: d4a25bd0-4136-4118-a313-fc5c093a5e08
--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/yvEzpxWSa8c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-developers+unsub...@googlegroups.com.
To post to this group, send email to cerner-fhir-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/750ae74a-3b28-4706-b992-a5b8e72d54f1%40googlegroups.com.
Regards,
Divya
Jenni Syed (Cerner)
Oct 6, 2017, 3:58:40 PM10/6/17
to Cerner FHIR Developers
Looking at all requests from today to authorization.sandboxcerner.com, the app seems to be using similar requests example from the system accounts api (which the app also shouldn't use) - OAuth 1.0, which won't work (no nonce, oauth version, signature method, etc should be used - that's the wrong version of OAuth). That may not represent all requests made, since I don't think I can easily find any that are OAuth 2 style. However, all of those are to the wrong endpoint (there is no /oauth/access endpoint).
When doing system access, you'll need to use the token endpoint from the FHIR conformance statement. See http://fhir.cerner.com/millennium/dstu2/conformance/#response-closed-endpoint for an example and information on how to look this up dynamically. This shouldn't be hard coded.
An example request and URL is also shown in the example here: http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system
~ Jenni
divya korangi
Oct 6, 2017, 4:15:00 PM10/6/17
to cerner-fhir...@googlegroups.com
I am getting the conformation statement from https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/metadata URL. I have taken this from http://fhir.cerner.com/millennium/dstu2/ - Secure sandbox.
My Request looks like :
POST /tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
Authorization: Basic base64(clientd:secret)
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Connection: close
grant_type=client_credentials&scope=system/Patient.read
i get 2 responses
HTTP/1.0 301 Moved Permanently
Server: BigIP
Connection: close
Content-Length: 0
HTTP/1.1 405
Allow: POST,OPTIONS
Cache-Control: no-store
Pragma: no-cache
Cerner-Correlation-ID: bb1914f8-3def-4d36-9cb0-b02d63e83df4
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 126
Date: Fri, 06 Oct 2017 20:13:20 GMT
Server: cloud_authorization_server1
Strict-Transport-Security: max-age=631138519; includeSubDomains
<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 405 - Method Not Allowed</h1></body></html>
--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/yvEzpxWSa8c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-developers+unsub...@googlegroups.com.
To post to this group, send email to cerner-fhir-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/22bbb1ec-04a2-488d-b37b-f7523476feed%40googlegroups.com.
Regards,
Divya
divya korangi
Oct 10, 2017, 5:52:09 PM10/10/17
to Cerner FHIR Developers
Do we get a separate URL to get the conformance statement from when we have a system account?
I am currently using the one from http://fhir.cerner.com/millennium/dstu2/ - Secure sandbox and it doesn't seem to work.
Also, how come I am getting a bearer token from /oauth/access endpoint when I make the call from inside the system account? the below call returns a bearer token in the system account.
Request
"GET /oauth/access?oauth_consumer_key=<clientid>&oauth_signature_method=PLAINTEXT&oauth_timestamp=1507058575&oauth_nonce=1630501083269071&oauth_version=1.0&oauth_signature=<secret>%26 HTTP/1.1[\r][\n]
"Host: api.sandboxcernercare.com[\r][\n]
"Connection: Keep-Alive[\r][\n]
"[\r][\n]
Jenni Syed (Cerner)
Oct 10, 2017, 6:38:54 PM10/10/17
to Cerner FHIR Developers
The token url is used from the metadata endpoint documented here: http://fhir.cerner.com/millennium/dstu2/#secure-sandbox (the token URL is the one system accounts would use, and the "provider" endpoint (not patient).
The request you've posted is OAuth 1, against /oauth/access, which doesn't work for the FHIR server/authorization server that the FHIR server points to.
Taking the documentation above, the metadata endpoint is: https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/metadata
Which shows an OAuth token endpoint of: https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token
The 301 response would be surprising. Do you have a correlation id for that redirect? Is the original request going to http or https? (it must be https)
~ Jenni
divya korangi
Oct 11, 2017, 2:45:22 PM10/11/17
to cerner-fhir...@googlegroups.com
After following the tips you provided me I formed the POST request:
Accept:application/json
Content-Type:application/x-www-form-urlencoded
Content-Length:100
Connection:Keep-alive
grant_type:client_credentials&scope=system/Patient.read
Authorization:Basic [...]
I am getting the following error now -
"Unknown Application" was attempting to request access to healthcare data with FHIR Play Millennium; unfortunately, the application doesnt appear to be compatible. If you require further assistance, please contact support.
Information to provide to Technical Support
- Correlation ID
- a5345b1e-37a1-4223-a040-ad115f88489a
Information to provide to Unknown Application
The grant type requested is not one supported by this server.
- Error Code
- urn:cerner:error:authorization-server:oauth2:token:unsupported-grant-type
divya korangi
Nov 14, 2017, 6:00:29 PM11/14/17
to Cerner FHIR Developers
When I tried by replacing : with = for grant_type, this error doesn't occur but I get a different error.
Host:authorization.sandboxcerner.com
Accept:application/json
Content-Type:application/x-www-form-urlencoded
Content-Length:100
Connection:Keep-alive
grant_type=client_credentials&scope=system/Patient.read
Authorization:Basic [...]
Cerner-Correlation-ID: 2fa5b756-602c-4564-bc2f-90b45d5b1052
Can you please suggest ?
Matt Randall (Cerner)
Nov 15, 2017, 10:41:42 AM11/15/17
to Cerner FHIR Developers
This doesn't appear to be a valid HTTP Post, or a valid OAuth 2 / SMART on FHIR token request. Our server is interpreting your request as if the POST payload is query parameters, and that the actual payload is empty. What are you using to perform this HTTP POST? You need to ensure that the format of the request is syntactically correct per the HTTP 1.1 and OAuth 2 specifications.
divya korangi
Nov 16, 2017, 12:28:30 PM11/16/17
to Cerner FHIR Developers
I am using Fiddler to run these requests.
divya korangi
Nov 27, 2017, 3:36:16 PM11/27/17
to Cerner FHIR Developers
Can you please reply back on this?
Please let me know if you need more information.
this picture above shows the request I am sending. It is failing. I am using Fiddler to send requests.
Cerner-Correlation-ID: fd9f0600-038b-414e-99f9-650bb2c60ab2
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: Keep-alive
grant_type=client_credentials&scope=system/Patient.read:
Authorization: Basic []
Can you please tell me if there are any errors in the request?
Jenni Syed (Cerner)
Nov 29, 2017, 10:28:12 AM11/29/17
to Cerner FHIR Developers
It says invalid grant type. I've never used fiddler, but I thought the headers and body went in separate windows? The grant info needs to be in the body. The parameters in the body should also be properly escaped (that slash in the scope), and there should be no colon on the end of the scopes.
I can't see the end of your authorization header string clearly (which is a good thing), but generally base64 encoded strings end with two equals signs, which seems to not be at the end of that authorization string - did you base64 encode it?
~ Jenni
divya korangi
Dec 5, 2017, 11:22:01 AM12/5/17
to Cerner FHIR Developers
Thank you it works for me now.
granada Coder
Jan 24, 2019, 1:08:51 PM1/24/19
to Cerner FHIR Developers
So I want to make it clear for future readers.
these instructions are for "on behalf of a system" (from https://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system)
URL
Method:
POST
Query String Parmeters:
NONE !!!! (<< this is what got me)
headers:
Authorization
Basic Omxxxxxxxxxxxxxxxxxxxxxx
Accept
application/json
Content-Type
application/x-www-form-urlencoded
Note, the "Basic" value for the authorization is a base64 value of "myusername:mypassword" (no quotes). If you use Postman and select "Basic Auth", you'll get textboxes to enter "Username" and "Password". And postman will do this transformation for you.
The actual value to use for the username is the "Account Details"/"Account_Id" value under your cerner central (this would be a url that starts with https://sandboxcernercentral.com/system-accounts/ where you view YOUR information)
the password is the "Secrets"/"Secret" value.
In postman, putting in those values in for username and password will auto-create the header "Authorization" with the value something like "Omxxxxxxxxxxxxxxxxxxxxxx" . If you are not using Postman, you'll have to figure out how to base64 the username/pasword combination. Here is a HINT url (not tested, but giving a url to show how it works : https://developer.ebay.com/api-docs/static/oauth-base64-credentials.html ) (I pasted some info below this as well)
Now the biggest trick. the BODY needs to have something like that: << This is what got me!!
grant_type=client_credentials&scope=system/Patient.read
These go in the BODY, not the query-string parameters.
BTW: The body-contents works in conjunction with the "Content-Type"...so both have to be set correctly.
All of that, and you should be able to get a token.
#syntaxSugar
#whereDoTheMagicValuesComeFrom
Here is an example response token.
{"access_token":"mytokenvalue","scope":"system\/Patient.read","token_type":"Bearer","expires_in":570}
=====
Generating your Base64-encoded credentials
The Authorization header value is a combination of your application's OAuth credentials, the client ID and client secret values. Combine the two values, separating them with a colon, and Base64 encode the combined values.
In other words, Base64 encode the following: <client_id>:<client_secret>
Use the resulting value in the Authorization header. Preceding the Base64-encoded value with the word Basic and a space, as shown in the following example:
Basic <B64-encoded_oauth_credentials>
Nicholas Ghobrial
Jul 3, 2019, 5:11:41 PM7/3/19
to Cerner FHIR Developers
Thank you very much for this breakdown. It helped me immensely. I could not find anywhere that the authorization header was base-64 encoded and comprised of the Client Id : Client Secret.
granada Coder
Jul 9, 2019, 3:08:07 AM7/9/19
to cerner-fhir...@googlegroups.com
you're welcome
--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/9bde86ce-c617-412a-8873-0f79b5c01a74%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages