OAuth2 token Help needed

[newpie]

Hello, I am having trouble connecting to a testbed sandbox successfully and retrieving a token and then query for standalone app only, not web app. The below is what I tried so far but get URI redirect error.

Code: Select all

constant kAuthURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize"
constant kTokenURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token"
constant kClientID = "1d843340-66fe-4691-b179-2ac46704356d "
constant kClientSecret = ""
constant kScopes = "patient/Observation.read patient/Patient.read openid profile launch/patient"
constant kPort = 443

local sAuth

command PostToSlack pMessage
   if sAuth["access_token"] is empty then
      OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort
      if the result is not empty then
         return "Not authorized!" for error
      else
         put it into sAuth
      end if
   end if
end PostToSlack

Let me know if you wish me to PM you.

Thanks

[monte]

Hi @newpie

Many APIs require you to set a redirect URI server side and failing to do so or setting it incorrectly will result in the redirect uri mismatch error. In this case you need to set it to: http://127.0.0.1:443/. There should be some method available to do so in the api console where you got your client id and secret from.

However, you might not want to use port 443 as it's such a commonly used port. The recommended range in the docs is 49152 to 65535.

Cheers

Monte

[newpie]

Hi monte,thanks for replying. I actually have two URI they require and little confused of what to put where. I attached an image to post. Do I put in both areas "http://127.0.0.1:443/" to make this work, the smart launch URI and redirect URI?
Also just fyi, there is no place to put a Client Secret code with them as you can see below. I asked them and they said they don't require it.

I tried putting http://127.0.0.1:62121/ for both slots in instead and now it returns "Not authorized".


Here is some more information about the API and data I am trying to use:
1. http://docs.smarthealthit.org/authorization/
2. http://engineering.cerner.com/smart-on- ... gistration (Tutorial, but for web app not standalone)
3. http://fhir.cerner.com/dstu2/ (technical overview)
4. http://docs.smarthealthit.org/ (FHIR and other references)

Where to register:
https://code.cerner.com/developer/smart ... r/register

Thanks again

[newpie]

Hello, I found out this bit of information that might help get working:

"After you redirect to the Cerner authorization page you should see a login form where you enter user name and password, and after that you should be redirected back to your redirect URL http://127.0.0.1:62121"

Seems it should open up browser where I can log in.

[monte]

I don't think the smart launch URI is anything to do with OAuth.

I presume when you are testing this you are setting the client secret in your script.

Try changing it to `return "OAuth error:" & the result for error` so you can see what error is being returned by the server.

[newpie]

Hello monte, I tried doing the error piece and it didn't return. I also checked again and they stated there is no clientSecret. I am not sure it is because it is sandbox domain is the reason.


I posted the code below if you need it.

Code: Select all

constant kAuthURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize"
constant kTokenURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token"
constant kClientID = "e4193b40-e317-47c2-b385-e5017c6b5f0a"
constant kClientSecret = ""
constant kScopes = "openid profile user/*.read"
constant kPort = 62121

local sAuth

command PostToFHIR pMessage
   if sAuth["access_token"] is empty then
      OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort
      if the result is not empty then
         return "OAuth error:" & the result for error
         --answer "Not authorized!"
      else
         put it into sAuth
         answer it
      end if
   end if

[monte]

Looking at the docs here http://docs.smarthealthit.org/authorization/ I see that you need an additional `aud` parameter:

URL of the EHR resource server from which the app wishes to retrieve FHIR data. This parameter prevents leaking a genuine bearer token to a counterfeit resource server. (Note: in the case of an EHR launch flow, this aud value is the same as the launch's iss value.)

I also found a bug in the OAuth2 library encoding spaces incorrectly which I'll fix right now.

[monte]

Here's the patch to the OAuth2 library. https://github.com/livecode/livecode/pull/5082

[Mikey]

what oauth2 library? did I miss some new feature? Server, client, both?

[newpie]

@Mikey - Hello, I saw the library in the 9.0 dp4 version.

@Monte - This is great news! I appreciate your help. I wish to test it, do I copy and replace a "oauth2.livecodescript" file located in the livecode folders? Or will this be uploaded to a new dp version soon?

Thanks

[monte]

@newpie you could copy the whole file or just edit your version to comment out those lines

[newpie]

Looking at the docs here http://docs.smarthealthit.org/authorization/ I see that you need an additional `aud` parameter:
URL of the EHR resource server from which the app wishes to retrieve FHIR data. This parameter prevents leaking a genuine bearer token to a counterfeit resource server. (Note: in the case of an EHR launch flow, this aud value is the same as the launch's iss value.)

Hey Monte, If I can find out the additional`aud` parameter where would I put it in my code I posted above? Can I use this library with them I guess is the main question. From what I gather I need to log in with portal/portal (in sandbox mode) before obtaining access. I did test the library again after editing, but still get no error and a pop up box which disappears quickly that says Authenticate in header.

Thanks for your assistance and time.

[monte]

Hi @newpie

It should be something like:

Code: Select all

local tParamA
put "whatever the aud url is" into tParamA["aud"]
OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort, tParamA

[newpie]

Hi @newpie

It should be something like:

Code: Select all

local tParamA
put "whatever the aud url is" into tParamA["aud"]
OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort, tParamA

Hello monte, I did try that with the supplied aud URL's, but no luck. I asked FHIR and they gave me the reply below. When I perform the OAuth2 library coding it always pops up box for a short second with title bar heading "Authenticate". Basically the user logs in. The log in is portal/portal for sandbox FHIR. Any ideas to get this working? Thank you for any help.

We have our sandbox URLs (and some links into the definition of the service root URL as FHIR defines it in the spec) published here: http://fhir.cerner.com/dstu2/#service-root-url. This hasn't been updated to include the patient "beta" FHIR URLs yet, but will be soon.

Provider facing (secure): https://fhir-ehr.sandboxcerner.com/dstu ... 9cbc6b1ca/
Patient facing (secure): https://fhir-myrecord.sandboxcerner.com ... 9cbc6b1ca/
Open: https://fhir-open.sandboxcerner.com/dst ... 9cbc6b1ca/

The sign in happens on redirect to the authorization URL (Authorize App), along with the user possibly granting the application access to their record. This is an opaque part of the process, and will happen in the user's browser without extra interaction with the application itself.

[monte]

Aha! So it looks like there's an extra step involved here http://docs.smarthealthit.org/authorization/

See the section labeled SMART “launch sequence”

I presume you need the Standalone launch sequence

So you must request the metadata in order to get the OAuth endpoints (perhaps there's a reason not to hard code them?)

You also appear to need to add a launch context to your scopes. Probably

Code: Select all

launch/profile

is what you need I think...