Page 1 of 2
OAuth2 token Help needed
Posted: Thu Jan 12, 2017 6:30 pm
by newpie
Hello, I am having trouble connecting to a testbed sandbox successfully and retrieving a token and then query for standalone app only, not web app. The below is what I tried so far but get URI redirect error.
Code: Select all
constant kAuthURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize"
constant kTokenURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token"
constant kClientID = "1d843340-66fe-4691-b179-2ac46704356d "
constant kClientSecret = ""
constant kScopes = "patient/Observation.read patient/Patient.read openid profile launch/patient"
constant kPort = 443
local sAuth
command PostToSlack pMessage
if sAuth["access_token"] is empty then
OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort
if the result is not empty then
return "Not authorized!" for error
else
put it into sAuth
end if
end if
end PostToSlack
Let me know if you wish me to PM you.
Thanks
Re: OAuth2 token Help needed
Posted: Fri Jan 13, 2017 5:43 am
by monte
Hi @newpie
Many APIs require you to set a redirect URI server side and failing to do so or setting it incorrectly will result in the redirect uri mismatch error. In this case you need to set it to:
http://127.0.0.1:443/. There should be some method available to do so in the api console where you got your client id and secret from.
However, you might not want to use port 443 as it's such a commonly used port. The recommended range in the docs is 49152 to 65535.
Cheers
Monte
Re: OAuth2 token Help needed
Posted: Fri Jan 13, 2017 6:04 am
by newpie
Hi monte,thanks for replying. I actually have two URI they require and little confused of what to put where. I attached an image to post. Do I put in both areas "
http://127.0.0.1:443/" to make this work, the smart launch URI and redirect URI?
Also just fyi, there is no place to put a Client Secret code with them as you can see below. I asked them and they said they don't require it.
I tried putting
http://127.0.0.1:62121/ for both slots in instead and now it returns "Not authorized".
Here is some more information about the API and data I am trying to use:
1.
http://docs.smarthealthit.org/authorization/
2.
http://engineering.cerner.com/smart-on- ... gistration (Tutorial, but for web app not standalone)
3.
http://fhir.cerner.com/dstu2/ (technical overview)
4.
http://docs.smarthealthit.org/ (FHIR and other references)
Where to register:
https://code.cerner.com/developer/smart ... r/register
Thanks again
Re: OAuth2 token Help needed
Posted: Fri Jan 13, 2017 3:22 pm
by newpie
Hello, I found out this bit of information that might help get working:
"After you redirect to the Cerner authorization page you should see a login form where you enter user name and password, and after that you should be redirected back to your redirect URL
http://127.0.0.1:62121"
Seems it should open up browser where I can log in.
Re: OAuth2 token Help needed
Posted: Sun Jan 15, 2017 11:24 pm
by monte
I don't think the smart launch URI is anything to do with OAuth.
I presume when you are testing this you are setting the client secret in your script.
Try changing it to `return "OAuth error:" & the result for error` so you can see what error is being returned by the server.
Re: OAuth2 token Help needed
Posted: Mon Jan 16, 2017 8:50 pm
by newpie
Hello monte, I tried doing the error piece and it didn't return. I also checked again and they stated there is no clientSecret. I am not sure it is because it is sandbox domain is the reason.
I posted the code below if you need it.
Code: Select all
constant kAuthURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize"
constant kTokenURL = "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token"
constant kClientID = "e4193b40-e317-47c2-b385-e5017c6b5f0a"
constant kClientSecret = ""
constant kScopes = "openid profile user/*.read"
constant kPort = 62121
local sAuth
command PostToFHIR pMessage
if sAuth["access_token"] is empty then
OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort
if the result is not empty then
return "OAuth error:" & the result for error
--answer "Not authorized!"
else
put it into sAuth
answer it
end if
end if
Re: OAuth2 token Help needed
Posted: Wed Jan 18, 2017 5:59 am
by monte
Looking at the docs here
http://docs.smarthealthit.org/authorization/ I see that you need an additional `aud` parameter:
URL of the EHR resource server from which the app wishes to retrieve FHIR data. This parameter prevents leaking a genuine bearer token to a counterfeit resource server. (Note: in the case of an EHR launch flow, this aud value is the same as the launch's iss value.)
I also found a bug in the OAuth2 library encoding spaces incorrectly which I'll fix right now.
Re: OAuth2 token Help needed
Posted: Wed Jan 18, 2017 6:04 am
by monte
Re: OAuth2 token Help needed
Posted: Wed Jan 18, 2017 2:53 pm
by Mikey
what oauth2 library? did I miss some new feature? Server, client, both?
Re: OAuth2 token Help needed
Posted: Wed Jan 18, 2017 8:58 pm
by newpie
@Mikey - Hello, I saw the library in the 9.0 dp4 version.
@Monte - This is great news! I appreciate your help. I wish to test it, do I copy and replace a "oauth2.livecodescript" file located in the livecode folders? Or will this be uploaded to a new dp version soon?
Thanks
Re: OAuth2 token Help needed
Posted: Fri Jan 20, 2017 2:44 am
by monte
@newpie you could copy the whole file or just edit your version to comment out those lines
Re: OAuth2 token Help needed
Posted: Fri Jan 20, 2017 4:57 pm
by newpie
monte wrote:Looking at the docs here
http://docs.smarthealthit.org/authorization/ I see that you need an additional `aud` parameter:
URL of the EHR resource server from which the app wishes to retrieve FHIR data. This parameter prevents leaking a genuine bearer token to a counterfeit resource server. (Note: in the case of an EHR launch flow, this aud value is the same as the launch's iss value.)
Hey Monte, If I can find out the additional`aud` parameter where would I put it in my code I posted above? Can I use this library with them I guess is the main question. From what I gather I need to log in with portal/portal (in sandbox mode) before obtaining access. I did test the library again after editing, but still get no error and a pop up box which disappears quickly that says Authenticate in header.
Thanks for your assistance and time.
Re: OAuth2 token Help needed
Posted: Tue Jan 24, 2017 4:17 am
by monte
Hi @newpie
It should be something like:
Code: Select all
local tParamA
put "whatever the aud url is" into tParamA["aud"]
OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort, tParamA
Re: OAuth2 token Help needed
Posted: Wed Jan 25, 2017 6:46 pm
by newpie
monte wrote:Hi @newpie
It should be something like:
Code: Select all
local tParamA
put "whatever the aud url is" into tParamA["aud"]
OAuth2 kAuthURL, kTokenURL, kClientID, kClientSecret, kScopes, kPort, tParamA
Hello monte, I did try that with the supplied aud URL's, but no luck. I asked FHIR and they gave me the reply below. When I perform the OAuth2 library coding it always pops up box for a short second with title bar heading "Authenticate". Basically the user logs in. The log in is portal/portal for sandbox FHIR. Any ideas to get this working? Thank you for any help.
Re: OAuth2 token Help needed
Posted: Thu Jan 26, 2017 12:52 am
by monte
Aha! So it looks like there's an extra step involved here
http://docs.smarthealthit.org/authorization/
See the section labeled
SMART “launch sequence”
I presume you need the
Standalone launch sequence
So you must request the metadata in order to get the OAuth endpoints (perhaps there's a reason not to hard code them?)
You also appear to need to add a launch context to your scopes. Probably
is what you need I think...