search

athenahealth / apiserver-athenaFlex

Software developers can use sample code and documentation to use athenahealth's athenaPractice/athenaFlow FHIR API Server.
https://mydata.athenahealth.com/home
17 stars 7 forks source link

Auth failure due to invalid audience for SMART App #313

Closed Anurag-Asati closed 2 months ago

Anurag-Asati commented 3 months ago

I've my SMART application hosted on IIS on VM and registered it on Athena Dev Portal.

However, while browsing to the application, Auth request is failing with error - Invalid audience parameter https://gecps-v23.checkinasyst.com:9443/cpsdemoAPIServer.

Before the geo-location restriction, the same application was working fine on v22 VM when testing Athena FHIR sandbox and audience set to - https://ap23sandbox.fhirapi.athenahealth.com/demoAPIServer while sending the auth request.

Please provide inputs to resolve the issue. Let me know in case I need to provide any additional details.

Thanks, Anurag

deepaktiwari29 commented 3 months ago

Hello @Anurag-Asati, Seems like this is an issue because of a wrong 'aud' value being set in your Auth Request. Can you try modifying your Auth Request URL and having aud query param set as https://ap23sandbox.fhirapi.athenahealth.com/demoAPIServer or https://ap23sandbox.fhirapi.athenahealth.com/demoAPIServer/fhir/r4 (in case you are pointing to ap23 VM) and check if it works. If it doesn't, could you please share the Auth URL with us?

Anurag-Asati commented 2 months ago

Hi @deepaktiwari29

After completing the FHIR setup, I am able to browse to OpenID metadata endpoint - https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver/.well-known/openid-configuration

As provided in above metadata, I'm using - (i). Authorization endpoint as - https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver/oauth2/authorize (ii). Token endpoint as - https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver/oauth2/token

I'm encountering the same error of invalid audience when using aud as either of the below three URLs - https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver https://ap23sandbox.fhirapi.athenahealth.com/demoAPIServer https://ap23sandbox.fhirapi.athenahealth.com/demoAPIServer/fhir/r4

As stated earlier, if I replace the above configuration to use ap23sandbox authorization url, token endpoint and audience, then it works fine. However the same code is not working when pointing to the local FHIR setup on the VM.

Please let me know in case you're looking for any further details.

Thanks, Anurag

deepaktiwari29 commented 2 months ago

@Anurag-Asati, Thanks for the detailed explanation. Can you try using the issuer value from the response of https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver/.well-known/openid-configuration

It should be something like 'https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver/fhir/r4' or 'https://gecps-v23.checkinasyst.com:9443/cpsdemoapiserver'

deepaktiwari29 commented 2 months ago

@Anurag-Asati could you please confirm if your issue is resolved with the given resolution? Or are you still facing the issue?

Anurag-Asati commented 2 months ago

Hi @deepaktiwari29 The initial issue been reported on the ticket is resolved. I am now encountering another issue which is reported on the ticket 314; therefore this ticket can be closed. Thanks, Anurag

deepaktiwari29 commented 2 months ago

@Anurag-Asati Thanks for confirming. Closing this ticket.