DSTU2 Sandbox Updates

[Nikolai Schwertner]

If you are using the DSTU2 sandbox
(http://fhir-dstu2.smarthealthit.org), please be aware that we made a
couple updates in the stack that will necessitate updating your SMART on
FHIR clients. Mainly, we introduced the "aud" and "launch" parameters to
the authorization requests consistent with
http://fhir-docs.smarthealthit.org/argonaut-dev/authorization/ as well
as restructured the conformance statement in order to make it compatible
with FHIR DSTU2. If you are using our JS client for your apps, you can
simply download the latest JS client from
https://github.com/smart-on-fhir/client-js/tree/dstu2-wip/dist

-Nikolai

[stephena...@gmail.com]

Nikolai,

I am working on testing our application against the public sandbox and I am getting a 404.

If I go here: http://fhir.smarthealthit.org/#/ui/patient-selected/1288992

Then use my Client ID and Launch URL I get a 404 after clicking Custom App.

If I then remove the http://fhir.smarthealthit.org/ piece of the URL it's trying to hit, the context is passed correctly and I can see the Patient ID.

Any ideas?

Thanks,

Steve

[stephena...@gmail.com]

I just realized I was going against the wrong URL :) I have a different issue now. Sorry for the confusion.

[James Kieliszek]

Nikolai,

Is there any documentation or example code on how to use the new JS client library? I've not been able to find any documentation, or examples that use the launch or launch/patient scopes. My app works when launched from gallery.smarthealthit.org, but I want to be able to start it from an outside link.

--James

[Nikolai Schwertner]

Hi James,

By "new JS clien library" you mean the DSTU2 version of the client, correct (https://github.com/smart-on-fhir/client-js/tree/dstu2-wip)? We don't have official documentation for it yet. We are currently working on a new version of the client which will be based on the fhir.js client. However, the following Argonaut document may help shed some light on the changes to the authorization that we implemented for DSTU2:
http://fhir-docs.smarthealthit.org/argonaut-dev/authorization/

Also, you may want to take a look at the following sample apps based on the DSTU2 client:
https://github.com/smart-on-fhir/fhir-demo-app/tree/dstu2-wip
https://github.com/smart-on-fhir/cardiac-risk-app/tree/dstu2-wip
https://github.com/smart-on-fhir/bp-centiles-app/tree/dstu2-wip

Now, if you'd like to launch your app outside the context of the Gallery or FHIR Starter, all you need to do is make the authorization redirect without supplying the "launch" parameter. As long as you ask for the "launch/patient" scope, the authorization server will ask the user to select a patient and then provide you with an access code. I believe that our JS client supports this mode, but let me do a quick prototype and get back to you with a concrete example.


Best,
Nikolai

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[stephena...@gmail.com]

Nikolai,

I am using this endpoint with a client secret kept on my server. I can get to the part of the handshake where I request an auth token in exchange for an auth code.

Currently my code is giving me a 401 and I am not sure why. The request seems to be formed like suggested.

If I check "Manage Active Tokens" though it looks like there is a token active from when I just ran the code.

I am a bit confused.

Thanks,

Steve

[stephena...@gmail.com]

This is what I am getting back:

{"error":"invalid_client","error_description":"Bad client credentials"}

[Nikolai Schwertner]

Hi Steve,

My guess is that there is something wrong with the encoding of the Authorization header in your HTTP request for token exchange. It is supposed to be a Basic auth header with your client id for username and your secret for password. Could you send a sample HTTP request header for the token exchange (change the secret to a fake secret for this example), as well as the authorization request URL before that?

Best,
Nikolai

[stephena...@gmail.com]

Hi Nikolai,

For the Basic auth header I do Base64 encoding of "clientid:clientsecret". Is there more that is needed?

Here is the HTTP request for the token exchange:

POST https://authorize-dstu2.smarthealthit.org/token HTTP/1.1

Authorization: Basic ************************************************************************************

Content-Type: application/x-www-form-urlencoded

Host: authorize-dstu2.smarthealthit.org

Content-Length: 152

Expect: 100-continue

grant_type=authorization_code&code=******&redirect_uri=https%3A%2F%2Finsight.ascendhit.com%2FHome%2FIndex&client_id=****************************************

Thanks,

Steve

[stephena...@gmail.com]

I removed the client_id from the token request and it worked.

Is there a reason for that?

In the javascript example the client_id was passed.

Steve

[stephena...@gmail.com]

Just to be sure, this is what I got back with a 200:

{

"access_token":"*****",

"token_type":"Bearer",

"expires_in":3599,

"scope":"launch openid user/*.* patient/*.read profile",

"patient":"hca-pat-67",

"smart_style_url":"https://fhir.smarthealthit.org/stylesheets/smart_v1.json",

"need_patient_banner":true,

"id_token":"*****"

}

Does that look correct?

[Nikolai Schwertner]

The response looks perfectly valid. I think the problem is that you are including the "client_id" as a parameter in the post body, which is incorrect. Base64 encoding the clientid:secret into the Authorization header is correct. The following worked for me:

POST /token HTTP/1.1
Host: authorize.smarthealthit.org
Authorization: Basic NGEwYjRlNDMtZDFhYS00ZDQ2LWI2MWYtYzJiYWI3OGYzOWJiOlRPTjEyaElWVkFraVZFN1Y4Uk5vd0F6NlJxd2E5S1pVS3cwck5pWWJ4UVdacGtvcHZSV2U3Yk1HV0pMUk44TXllRHIwbmFIRHYzVnFNeDZ4UHpIVDB3
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=RRRdOC&redirect_uri=http%3A%2F%2Flocalhost%2Ftest