Struggling with eClinicalWorks sandbox for an "EHR Launch" app.

[Darren Kennedy]

Hi all,

I'm trying to get a demo working for my SMART on fhir app that runs fro EHR Launch (not standalone).
It works with the Epic fhir testing sandbox.

The eCW docs are not all that helpful.

I get a "launch" token from eCW's initial request to my / endpoint.

And other values from:

smart_config_url = "https://staging-fhir.ecwcloud.com/fhir/r4/FFBJCD/.well-known/smart-configuration" response = requests.get( smart_config_url, headers={"Accept": "application/fhir+json"} ).json() authorization_uri = response["authorization_endpoint"] token_uri = response["token_endpoint"] state = uuid.uuid4().hex

As this is an EHR Launch app I GET to (I removed the query string encoding to make this readable):

https://staging-oauthserver.ecwcloud.com/oauth/oauth2/authorize? response_type=code &client_id=<my registered test app id in eCW sandbox> &redirect_uri=http://localhost:4201/fhirapp/ &scope=system/Patient.read openid profile launch &state=state &code_challenge=<...> &code_challenge_method=S256 &launch=<launch token from initial eCW sandbox request to my "/" endpoint> &aud=https://staging-fhir.ecwcloud.com/fhir/r4/FFFBJCD

I keep getting a 403 from their sandbox.

The docs under "Provider Apps / EHR Launch" (they don't let you direct link to a doc page :/ ), has:

The app constructs a request for the authorization code by adding the following parameters to the query component of the EHR’s authorize endpoint URL:

·         response_type: The value of this parameter is fixed: code.

·         client_id: This parameter contains the client identifier value assigned by the eClinicalWorks while registering the app with eClinicalWorks Developer Portal.

·         redirect_uri: This parameter contains the app’s pre-registered redirect URIs during the app registration with eClinicalWorks Developer Portal.

·         launch: This parameter contains the value of launch token assigned by the eClinicalWorks in Step 1.

·         state: This parameter value is generated by the app vendor. The value of this parameter is an opaque value (mostly random generated string) which is used by the app to maintain the state between the request and callback.

·         scope:The app must include the space delimited list of scopes that the app wants to access. The scope list received as a part of the authorization request can be a sub-set of scopes registered during an app registration with eClinicalWorks Developer Portal. A complete list of scopes supported by eClinicalWorks can be found under “Scopes and Context” section. Scopes must be space delimited when included in the request.

·         aud: This parameter contains URL of the EHR resource server from which the app retrieves the eCW FHIR implementation data. The value of this parameter will be same as the iss parameter value defined in Step 1.

·         code_challenge: This parameter is generated by the app vendors and used for the code challenge, as specified by PKCE. For example, code_challenge_method is S256, hence the value of this parameter will be the S256 hashed version of the code_verifier parameter. For more information, refer to considerations-for-pkce-support and https://datatracker.ietf.org/doc/html/rfc7636#section-4.2.

·         code_challenge_method: The value of this parameter is fixed: S256. This is the method used for the above code_challenge parameter.

Note: Clients SHALL use either the HTTP GET or the HTTP POST method to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization