Epic's Smart on FHIR sandbox

[Isaac Vetter]

Getting started with SMART on FHIR? Check out the Epic FHIR and OAuth tutorials.

 

It’s easy to test your SMART on FHIR app with Epic. From the Epic sandbox, at open.epic.com/launchpad, you can test the entire SMART on FHIR EHR launch flow:

• select a patient and launch your app, (using a generic client_id) from https://open.epic.com/launchpad/OAuth2Sso
  
• authorize your launch token and retrieve an access token from Epic’s OAuth2 server (urls in the FHIR Conformance resource)
  
• And finally, interact with Epic’s secured FHIR resources using your newly issued access token 

In addition to these secured FHIR resources, the sandbox also includes unsecured FHIR resources to help you get started. The sandbox currently includes read and search of these resources: Patient+Practitioner, AllergyIntolerance, Medication+MedicationOrder, Condition, Observation, FamilyMemberHistory, DiagnosticReport, Immunization, CarePlan+Goal, Procedure, Device, DocumentReference+Binary, Schedule, Slot and Appointment. We’re looking forward to seeing the cool stuff you can do with these resources.

 

If you’d like to get a dedicated OAuth2 client_id for testing in the sandbox, reach out to op...@epic.com.

 

We’d love to hear your feedback about our FHIR resources, our OAuth2 support, our sandbox. Epic is participating in the Argonaut Project and we’re actively looking for real-world testing. What’s missing from the sandbox? How can we make it easier to use? What resources do you need to finish your killer app?

 

Isaac Vetter

Epic

[Michele Mottini]

Thanks!

I tried to launch one of our app using the Oauth2Sso page but it asks me user name and password:

...what should I use for those? (I already logged in to start the sequence using my Google credential)

  Thanks

  - Michele Mottini

  CareEvolution Inc

[Isaac Vetter]

Hi Michele,

Thanks for trying it out! 

I think that you're being asked for a username / password because your app didn't successfully exchange the launch token for an authorization code (and instead your browser was directed to log in). Using the EHR Launch flow (single-sign-on should be included) because the user is already authenticated with the EHR and therefore shouldn't need to re-authenticate.

Could you check this step in your application and let me know if you continue to experience problems?

Isaac  

--
You received this message because you are subscribed to a topic in the Google Groups "SMART on FHIR" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/smart-on-fhir/sBcd2lkHnbc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to smart-on-fhi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michele Mottini]

The app is this one, that does not use the launch context, so it is not passing it along in the login sequence - and I guess that is what causes the problem....

  - Michele

[Pascal Pfiffner]

I'm getting a 404 when redirecting to the authorize endpoint at https://open-ic.epic.com/oauth2/authorize (which seems to be correct when looking at the Conformance statement). Is this the right endpoint?

Thanks

Pascal

[Isaac Vetter]

Hi Pascal,

Right now, the Epic sandbox contains two FHIR servers at different base urls. One is completely unprotected, the other requires OAuth tokens. 

Here's the OAuth/protected FHIR server: https://open-ic.epic.com/Argonaut/api/FHIR/Argonaut, 

Its Conformance statement is here: https://open-ic.epic.com/Argonaut/api/FHIR/Argonaut/metadata 

And its authorize endpoint: https://open-ic.epic.com/FHIR/oauth2/authorize

Is this what you needed?

Isaac

--

[Isaac Vetter]

[edited to correct password to uppercase]

Hi Michele,

No worries. We have a generic username/password of ARGONAUT/ARGONAUT to use for testing in just this scenario. A username of argonaut and a password of ARGONAUT should allow you to test workflows that originate in the app instead of the EHR.

Isaac

[Pascal Pfiffner]

Thanks Isaac. Yes, this was the endpoint I was trying to use. But I got a different authorize endpoint and I think I found out why: it's the _summary flag. Retrieving the Conformance statement plainly, I get this security portion:

"security": {

  "cors": true,

  "extension": [{

    "extension": [{

      "url": "authorize",

      "valueUri": "https://open-ic.epic.com/FHIR/oauth2/authorize"

    },

    {

      "url": "token",

      "valueUri": "https://open-ic.epic.com/FHIR/oauth2/token"

    }],

    "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris"

  }]

}

However, when I fetch the Conformance statement with ?_summary=true, I get this security portion with different authorize and token endpoints:

"security": {

  "cors": true,

  "extension": [{

    "extension": [{

      "url": "authorize",

      "valueUri": "https://open-ic.epic.com/oauth2/authorize"

    },

    {

      "url": "token",

      "valueUri": "https://open-ic.epic.com/oauth2/token"

    }],

    "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris"

  }]

}

This means my mobile client, which wants the summary, will use the wrong authorize URL and get a 404. Hope this can be fixed! :)

Best

Pascal

[Isaac Vetter]

To update the list -- Pascal and I got this resolved. 

The Epic OAuth2 sandbox Conformance statement at:

https://open-ic.epic.com/Argonaut/api/FHIR/Argonaut/metadata 

is now consistently returning the correct authorize and token endpoints.

Thank you, Pascal!

Isaac Vetter

Epic

[Yunwei Wang]

Hello Isaac:

I tried using .NET FHIR Client to connect to open epic server to pull metadata. But I got two errors:

First, if I choose the XML as content format, the parser failed because the extension is not in correct format.

The xml pulled from open epic has extension like this:

<extension><url value="authorize"/><valueUri value="https://open-ic.epic.com/Argonaut/oauth2/authorize"/></extension>

But .NET FHIR client expected extension like this:

<extension url="authorize"><valueUri value="https://open-ic.epic.com/Argonaut/oauth2/authorize"/></extension>

Second, if I choose JSON, the extension is parsed (strange) but failed on search parameters:

<searchParam><name value="practitioner"/><type value="1"/></searchParam>

type value="1" is not valid for searchParam.

Yunwei

[Yunwei Wang]

Hello Issac:

Another issue. When I used js client, I can get patient data but when I tried to get condition for the selected patient, I got error 400.

Yunwei

[Isaac Vetter]

Hi Yunwei,

I'm addressing each of the two issues that you're encountering.

1) "patient data but when I tried to get condition for the selected patient, I got error 400"

It can often be helpful to check out our specific FHIR resource documentation when trying out a new resource. In this case, the Condition resource has a bit of documentation here: https://open.epic.com/Clinical/FHIR?whereTo=condition#

Our Condition resource has a few required search parameters. I'm hypothesizing that you're doing a search like this:

       /Condition?patient=Tbt3KuCY0B5PSrJvCu2j-PlK.aiHsu2xUjUM8bWpetXoB

and getting back a 400. Whereas, if you add an additional search parameter of "category=diagnosis", it should work:

       /Condition?patient=Tbt3KuCY0B5PSrJvCu2j-PlK.aiHsu2xUjUM8bWpetXoB&category=diagnosis

Similarly, currently, none our the Epic resources will return all instances of that resource; said another way; and id or some search parameters are always required.

2) using .NET FHIR Client to connect to open epic server to pull metadata 

Thank you for reporting this. We're in the process of upgrading our sandbox to support some additional FHIR resources, which should have been transparent to you. If you try again using json, this should work. We should have the xml issue fixed soon.

Isaac Vetter

[Yunwei Wang]

Hello Isaac:

Thank you for the help. Now I can move forward to the next parsing error. :)

        {
            "type": "Compartment",
            "interaction": [{
                "code": "patient"
            }],
            "searchParam": []
        },

Resource type Compartment is not a standard FHIR resource. Is it an extension?

Yunwei

[Yunwei Wang]

Hello Isaac:

Another issue I got is that the metadata points authorize URL to https://open-ic.epic.com/Argonaut/oauth2/authorize

<extension><url value="authorize"/><valueUri value="https://open-ic.epic.com/Argonaut/oauth2/authorize"/></extension>

But when I sent authorize request to that URL, I got error 302. Can you fix the authorize URL in metadata?

Yunwei

[Isaac Vetter]

Hi Yunwei,

In terms of the 302 returned by the authorize endpoint - I'm surmising that the issue you're encountering that that we're not yet supporting sending the launch token as it's own, named parameter outside of a scope parameter when requesting the authorization code. 

This should work:

https://open-ic.epic.com:443/argonaut/oauth2/authorize?response_type=code&client_id=6C12DFF424E74475A742B08972C4EA27&redirect_uri=https%3a%2f%2fexample.com%2fapp.aspx&scope=*+launch%3aTuizy3OaJbt2qX...

and this doesn't yet work in our sandbox - 

https://open-ic.epic.com:443/argonaut/oauth2/authorize?response_type=code&client_id=6C12DFF424E74475A742B08972C4EA27&redirect_uri=https%3a%2f%2fexample.com%2fapp.aspx&launch=Tuizy3OaJbt2qX...

I believe that the development to our OAuth2 server to support the launch token as it's own parameter, is just finalizing testing and should be pushed into the sandbox soon. I'll look into this.

Does that help?

For the compartment resource, FHIR does include an early, immature concept of Compartment. We also use this sandbox as a testing ground for prototyping and early testing - a key reason why feedback from app developers like you is so valuable. On what FHIR resource are you seeing this?

Isaac

[Yunwei Wang]

Hello Isaac:

Yeah. My JS public client works now after I add launch token to scope.

It seems you don't support standalone app yet. Am I right? When I send the scope "patient/*.read launch/patient", I get the same 302 error.

I am still struggling through .NET confidential client. The main problem is the .NET client parser (from furore) need to validate the whole resource. Any schema failure causes exceptions. That's the problem for the Compartment element in metadata. I am working on retrieving raw json stream from client before let it parse to Conformance resource.

Yunwei

[Isaac Vetter]

Hi,

If you're interested in testing your SMART on FHIR app with Epic, you can now get a dedicated, non-prod, sandbox client id. If you've been using the generic client id documented on the sandbox, note that it's recently changed (so you'll likely need to put the new id into your app).

Isaac Vetter

Epic

[Ameer Zaffar Sulaiman]

Does the Epic sandbox environment provide or support a client_secret as part of its OAuth flow? 

[Isaac Vetter]

Hi Ameer,

Yes, but we don't have a way for you to create a client record yourself with a client_id. 

Could you go ahead and create a client record at: https://open.epic.com/MyApps and then reply to the cc line privately with the name you registered?  I can create a client_secret for you.

Isaac Vetter

Epic

 

On Wed, Jun 15, 2016 at 6:37 PM Ameer Zaffar Sulaiman <ameerzaff...@gmail.com> wrote:

Does the Epic sandbox environment provide or support a client_secret as part of its OAuth flow? 

--

[Alexandr Iozhitsa]

Hi, Isaac! I'm trying to get access to your OAuth2 server. I have registered new app for Epic, but each time I trying to get code from authorization endpoint the error is returned: "OAuth2 Error: INVALID_CLIENT".

I'm going step by stem as in this tutorial https://open.epic.com/launchpad/OAuth2Sso.

The other issue, how can I get constant launch for my client_id? 

Thanks!

понедельник, 4 апреля 2016 г., 20:18:24 UTC+3 пользователь Isaac Vetter написал:

[Juan Lorenzo Hinojosa]

I'm getting this same error? were you able to fix it ?

[Nilesh Patkar]

Hi Isaac,

Do you have any idea when open epic will support Encounter resource ? We are eagerly waiting for it to build our Patient engagement mobile app.

Thanks and regards,

Nilesh Patkar

On Monday, April 4, 2016 at 1:18:24 PM UTC-4, Isaac Vetter wrote:

[Isaac Vetter]

Hi Nilesh,

I appreciate your urgency for Epic's support of this important FHIR resource.

Rather than commenting on our timeline on this google group, I'm going to defer to one of the two emails that you sent to the op...@epic.com email address yesterday.

Isaac Vetter

Epic

--

[he...@swellbox.com]

Hi Isaac,

I know this thread is several months old now but wanted to know if there was any update regarding the timeline on when developers can anticipate the FHIR Encounters resource.

Also, it's not clear to me how to obtain an extended duration refresh token for offline access- is this supported yet?  It looks like the access tokens currently expire 1 hour after being issued.

Thanks for the help!

-Jeff

[Swellbox Support]

Hi Richard,

Thanks for following up.  I’ll look into App Orchard.

Also, I’m having an issue while testing with an open.epic live endpoint (Weill Cornell)-

I’m able to successfully get an OAuth token after approving my app (and it shows up in the “Linked Apps & Devices”) but when trying to access most production FHIR resources (MedicationStatement, DocumentReference,  DiagnosticReport + Procedure) it says "Provided token is invalid" although other resources (Immunizations) work fine (no "invalid token" error)- though my account has no immunizations.  

All the same requests work without errors on the open.epic sandbox with my test client_id and test endpoint.  Is this related to not being registered with App Orchard, or something else?

Appreciate your help

-Jeff

On Aug 8, 2017, at 10:27 AM, open.epic - Inquiries <op...@epic.com> wrote:

Hi Jeff,

 

The FHIR Encounter resource is included in development plans for Epic version 2018 (which is scheduled for Q1 2018).

 

We don’t have current plans to include Encounter in the FHIR resources that are available through open.epic. However, you can sign up for the App Orchard program which would give you access to all Epic APIs & FHIR Resources. That program will also allow you to obtain a refresh token.

 

App Orchard: https://apporchard.epic.com/

 

Thanks

Richard Thomas

Epic|Integration Engineer

Open.Epic

 

From: he...@swellbox.com [mailto:he...@swellbox.com] 
Sent: Thursday, July 27, 2017 4:51 PM
To: SMART on FHIR <smart-...@googlegroups.com>
Cc: nilesh...@thoughti.com; open.epic - Inquiries <op...@epic.com>
Subject: Re: Epic's Smart on FHIR sandbox

 

Hi Isaac,

 

I know this thread is several months old now but wanted to know if there was any update regarding the timeline on when developers can anticipate the FHIR Encounters resource.

 

Also, it's not clear to me how to obtain an extended duration refresh token for offline access- is this supported yet?  It looks like the access tokens currently expire 1 hour after being issued.

 

Thanks for the help!

-Jeff

On Sunday, January 29, 2017 at 1:48:38 PM UTC-5, Isaac Vetter wrote:

Hi Nilesh,

 

I appreciate your urgency for Epic's support of this important FHIR resource.

 

Rather than commenting on our timeline on this google group, I'm going to defer to one of the two emails that you sent to the op...@epic.com email address yesterday.

 

Isaac Vetter

Epic

 

On Sun, Jan 29, 2017 at 12:42 PM Nilesh Patkar <nilesh...@thoughti.com> wrote:

Hi Isaac,

Do you have any idea when open epic will support Encounter resource ? We are eagerly waiting for it to build our Patient engagement mobile app.

 

Thanks and regards,

Nilesh Patkar

On Monday, April 4, 2016 at 1:18:24 PM UTC-4, Isaac Vetter wrote:

Getting started with SMART on FHIR? Check out the Epic FHIR and OAuth tutorials.

 

It’s easy to test your SMART on FHIR app with Epic. From the Epic sandbox, atopen.epic.com/launchpad, you can test the entire SMART on FHIR EHR launch flow:

• select a patient and launch your app, (using a generic client_id) from https://open.epic.com/launchpad/OAuth2Sso
• authorize your launch token and retrieve an access token from Epic’s OAuth2 server (urls in the FHIR Conformance resource)
• And finally, interact with Epic’s secured FHIR resources using your newly issued access token 

In addition to these secured FHIR resources, the sandbox also includes unsecured FHIR resources to help you get started. The sandbox currently includes read and search of these resources: Patient+Practitioner, AllergyIntolerance, Medication+MedicationOrder, Condition,Observation, FamilyMemberHistory, DiagnosticReport, Immunization, CarePlan+Goal,Procedure, Device, DocumentReference+Binary, Schedule, Slot and Appointment. We’re looking forward to seeing the cool stuff you can do with these resources.

 

[Mark Kaiser]

Hi Jeff,

Did you get a response on your last two questions about the Encounter service and whether the FHIR resources are only available for members of the App Orchard?

Thanks,

Mark

[Vassil Filipov]

Hello,

I'm currently experiencing an issue with LaunchPad ( https://open.epic.com/Launchpad/OAuth2Sso ) Whenever I try to launch an application I receive an invalid_client error:

 (

OAuth2 Error: 

INVALID_CLIENT

The application trying to authorize is not recognized, provided invalid identifying information, or we were unable to verify its identity at this time.).

I am using applications that have been working without an issue until recently.

Any help would be highly appreciated!

- Vaso

[Modest Syla]

Vassil,

Any update from your experience?  I'm seeing a similar issue when testing an app on apporchard.  oauth2 flow works fine when selecting to go against "preview", but doesn't work against "Epic 2017" with the same result as you stated.  Going through open epic works fine.

Thanks in advance!

[Vassil Filipov]

Hi Modest Syla,

With a little help from the kind Epic folks at op...@epic.com I was able to launch my application, by using the LaunchPad interface. What I needed was to register an Application in the MyApps section of the sandbox and use that NONPROD CLIENT ID, then it started to work. Mind you I am using the open epic environment.

I hope this is helpful.

- Vaso

[sriniva...@gmail.com]

Hi Isaac,

I am trying to call Patient+Practitioner API call (https) using the interface engine and am unable to call.

is there any dummy certificate/authorization mechanism available to call the unsecured resources?

Regards,

Srini.

On Monday, April 4, 2016 at 1:18:24 PM UTC-4, Isaac Vetter wrote:

Getting started with SMART on FHIR? Check out the Epic FHIR and OAuth tutorials.

 

It’s easy to test your SMART on FHIR app with Epic. From the Epic sandbox, at open.epic.com/launchpad, you can test the entire SMART on FHIR EHR launch flow:

• select a patient and launch your app, (using a generic client_id) from https://open.epic.com/launchpad/OAuth2Sso
  
• authorize your launch token and retrieve an access token from Epic’s OAuth2 server (urls in the FHIR Conformance resource)
  
• And finally, interact with Epic’s secured FHIR resources using your newly issued access token 

In addition to these secured FHIR resources, the sandbox also includes unsecured FHIR resources to help you get started. The sandbox currently includes read and search of these resources: Patient+Practitioner, AllergyIntolerance, Medication+MedicationOrder, Condition, Observation, FamilyMemberHistory, DiagnosticReport, Immunization, CarePlan+Goal, Procedure, Device, DocumentReference+Binary, Schedule, Slot and Appointment. We’re looking forward to seeing the cool stuff you can do with these resources.

[Michael Krupnick]

I believe you can create your own "App" within open epic which comes with its own Client ID and redirect URL by going here: https://open.epic.com/MyApps# and clicking "Create a new App".

Thanks,

-Michael Krupnick

www.AppScript.net

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.

[Sugandha Bansal]

Hi ,

is there any way to automate authorization code using java code. I want Mychart screen to be skip and it should automatically create code/token.

Sugandha

[krishan singh]

Hi Epic Team,

We are already registered with the open Epic, I have looked the other things like oauth and smart on fhir.

My urgent question is on the high level design like we already using our UI frontend app which is showing 

the Patient related information along with Allergies, medication, Problems, vitals etc..

As we be enhancing our our app to work with open epic standard but the table structure there in open epic is different from our

like the Patient table, Vital table, Facility table, Provider table etc so the table column name would be different om open epic 

so i need the table structure and the high level design which include the open epic basic table cover the  Institution ( hospital), Facility(Clinics),

Providers,Patients,Patientdemigraphics,vitals,Problems,Medication etc.

Please Support to response as soon as possible..

Thanks

Krishan

(OMS) 

 

[Christos Papidas]

Hi Epic Team,

we integrated with your sandbox recently, but we received 4101 error Resource request returns no results. 

We are using DSTU2 for our resources.

We are getting get token from your sandbox environment successfully, but when we are trying to retrieve the data for the following two users:

user: fhirjason password: epicepic1
user: fhirdaisy password: epicepic1

tried with iss=https://open-ic.epic.com/Argonaut/api/FHIR/Argonaut

and iss=https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/DSTU2 

received the same error

[Denis Mulder]

Same error here, there seem to be no data for Jason Argonaut anymore? Oauth for Jason Argonaut works fine, but no data.

[Michele Mottini]

This appears to be Epic-specific - this group is for general SMART-related stuff. Try op...@epic.com

  - Michele

  CareEvolution 

--

You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/96ed607e-16c0-44e2-9456-177fcfc74ba9n%40googlegroups.com.