Ribbon control with buttons created to launch SMART application, not visible in Athena client application

[Anurag-Asati]

I've an application hosted in a VM on IIS and registered the same on Athena Dev Portal. I've completed the Athena FHIR setup on VM and executed below SPs to create button control in Visit module to launch SMART app - (i). dbo.AddCustomButtonControl (ii). dbo.AddCustomModuleToControl (iii). AddCustomControlJSON

However, I am not seeing any ribbon control with given button in Visit module of Athena client application.

Please provide inputs to resolve the above issue. Let me know in case you need any additional details.

Thanks, Anurag

[apdesai16]

Thanks for reaching out to us.

To understand your problem better we need some more information. Could you please share the scripts(with data used) which are used to create the button under visit module?

Thanks, Apekshit

[Anurag-Asati]

Hi @apdesai16

Today, I've deleted the earlier created button control which was not visible in the UI executing SP - DeleteCustomButtonControlWithReference with appropriate ButtonControlId.

After that, I've again executed the below SPs to create the button control -

DECLARE @Affected Numeric(19,0), @RCode Numeric(19,0), @RMessage varchar(4000); EXEC dbo.AddCustomButtonControl @ButtonName = 'ButtonControl1', @Description = 'ButtonControl1',@Vendor = 'ApplicationOne', @TargetURL = 'https://cps.check.com:7093', @headlessHttp = NULL, @IsDisabled = 'N', @Launchmode = 'IE', @Lifecycle = 'Modal', @NotificationList = NULL , @clientId = 'fgJcdGciOiJSUzI1NiA2', @Version='1.0.0', @AffectedRows = @Affected OUT, @ResultCode = @RCode OUT, @ResultMessage = @RMessage OUT;

Declare @Affected Numeric(19,0), @RCode Numeric(19,0), @RMessage varchar(4000); Exec dbo.AddCustomModuleToControl @ModuleName = 'Visit', @ButtonOrFolderName = 'ButtonControl1', @OrderSequenceVal = 1, @Vendor = 'ApplicationOne',@CreatedByPVID = -2, @AffectedRows = @Affected OUT, @ResultCode = @RCode OUT, @ResultMessage = @RMessage OUT

EXEC AddCustomControlJSON;

The ClientId and TargetURL in above query are dummy values and not the actual ones; rest of the query being same as has been executed.

This has created the button in Visit module. I'm not sure, why it did not work earlier.

Clicking on the button however, I am getting an error as shown in screenshot below -

Could you please share any inputs on the issue? Also, are there any logs been generated which I can refer to get more details of the error?

Thanks, Anurag

[apdesai16]

Hi @Anurag-Asati,

We have observed java.net.UnknownHostException: GECPS-V23.WORKGROUP from your machine in our OMS logs. The logs can be found at the following location on JBoss server machine: C:\Program Files\Centricity Practice Solution\jboss\standalone\log\server.log

This error indicates that our API is unable to resolve the hostname GECPS-V23.WORKGROUP to an IP address.

Check if the hostname GECPS-V23.WORKGROUP is correct.

Thank You, Apekshit

CC: @SChakravarthy-Athena

[SChakravarthy-Athena]

@Anurag-Asati, could you please confirm if your issue is resolved with the correct host name?

CC: @apdesai16

[Anurag-Asati]

Hi @apdesai16 @SChakravarthy-Athena I've cleaned the installation and re-installed CPS client, JBoss and server component and FHIR setup to resolve the issue with hostname. I am now again facing the same issue which I'd encountered initially, that is the ribbon control with the button is not visible in Visit module. I am using the same set of sql statements which I'd posted earlier in the ticket.

Also observing an additional issue which I am not sure if related - While sending a request to get Authorization Code from Authorize endpoint, I am encountering below error - Not authorized at practice level. The access was revoked for application with client id : {clientID}

In above, {clientID} is the clientID of the application - "ApplicationOne" registered on Athena Dev Portal.

Thanks, Anurag

[deepaktiwari29]

@Anurag-Asati, For error 'Not authorized at practice level. The access was revoked for application with client id : {clientID}' If you have registered your app and marked it as "Production" in DevPortal, all you need to do before using it for the Authentication flow is add it to the API App Authorization list from the client. Please follow this path to add your app in the list: Home Page> Administration > System > Interoperability > API App Authorization

[Anurag-Asati]

Hi @deepaktiwari29 Thank you for the quick response. Could you please look into below queries which would help me to understand the functionality better? (i). Would this also take care of issue of button control created executing SPs not visible in Visit module? In addition to SP execution, are there any additional validations in order for the button to be available in Visit or Billing module?

(ii). I've the application currently marked in Development mode on Athena Dev Portal. What is difference between Dev and Prod mode; and in what scenario is it helpful to have the application in Development mode, if its required to be in Production for Authentication flow?

(iii). Once the FHIR setup is completed on VM, I am also seeing some entries in DB table - AADConfiguration as below - (a). I am assuming these are created based on the Azure AD login done during FHIR setup. Please confirm if this is correct. (b). Can I use any of the clientID and Secret combinations from this table to get authorization code and access token for FHIR access for my testing? (c). Since the FHIR APIs are setup locally on VM, and if I can use a pair of client ID and Secret from AADConfiguration table to generate Authorization code, then I should not have a dependency to be within USA network to complete the Authentication Flow and get the Patient details using FHIR API. Please confirm if this is correct, or if I am missing anything here.

Please let me know your inputs.

Thanks, Anurag

[Anurag-Asati]

Hi @deepaktiwari29

I've updated the application - ApplicationOne on Dev Portal to Production. However the app name is not available to be added to API App Authorization list as shown below -

Also could you please look into my previous queries? I've some limitation to connect to VM in USA network. It will be helpful if there is a way to use local setup along with client Id and secret pair saved in demo DB.

Thanks, Anurag

[Anurag-Asati]

Hi @deepaktiwari29 @apdesai16 Could we meet today for a working session to resolve the above issues and queries? Thanks, Anurag

[SChakravarthy-Athena]

@Anurag-Asati , are you available tomorrow 11AM to 12PM(IST)? If yes, then please share your official email id to which we can send the Microsoft Teams meeting invite.

@apdesai16 @deepaktiwari29 FYI Thanks Srinivasa C

[Anurag-Asati]

Hi @SChakravarthy-Athena @apdesai16

Could you please share the invite to - anuraga@healthasyst.com helpdesk@healthasyst.com

Thanks, Anurag

[SChakravarthy-Athena]

@Anurag-Asati , we have sent the MS teams meeting invite. Please join.

[Anurag-Asati]

Hi @SChakravarthy-Athena @apdesai16 @deepaktiwari29

Thank you for your time on the call today. Please find the attached log for error encountered for authorization token request after the API App Authorization registration is completed. CentricityFHIR_cpsdemo.log

Thanks, Anurag

[deepaktiwari29]

Hey @Anurag-Asati, After analysing the logs you provided, it appears that it is a VPN issue because the public key is not being downloaded. Could you try switching the VPN once to the US and check if you are getting the expected response for authoriez URL? Also, can you hit this URL and verify if you are able to download the certificate on your VM https://appkey.mydata.athenahealth.com/devPortalPublicKey.der

[Anurag-Asati]

Hi @deepaktiwari29 I've registered a new application "DocumentManagementApp1.0.0" on Dev Portal and that has resolved the given issue.

I am encountering below issues now -

(1). Still getting an error while sending request for Authorization token. Currently, sending below authorization token request - https://gecps-v23.checkinasyst.com:9443/cpsdemoAPIServer/oauth2/authorize?state=defaultToken&scope=profile%20openid%20patient%2F*.read%20launch%2Fpatient&response_type=code&redirect_uri=https%3A%2F%2Fgecps-v23.checkinasyst.com%3A7093%2Fsignin-oidc&aud=https%3A%2F%2Fgecps-v23.checkinasyst.com%3A9443%2Ffhir%2Fr4%2FdemoAPIServer&client_id={client_id}

where, in above, {client_id} is replaced with actual client ID of application registered on Dev Portal.

This redirects user to login page - Selecting Work Account and Login with Azure AD credentials which were used during API registration; receiving below error - https://gecps-v23.checkinasyst.com:7093/signin-oidc?error=invalid_user&error_description=User%20not%20found. Question - Is there any additional registration required for the given user account, or do we need to use some other user account for login?

(2). Unable to complete user authentication for authorization token request sent to v23 Athena sandbox as below - (i). Send Authorization token request as below - https://ap23sandbox.fhirapi.athenahealth.com/demoAPIServer/oauth2/authorize?state=defaultToken&scope=profile%20openid%20patient%2F*.read%20launch%2Fpatient&response_type=code&redirect_uri=https%3A%2F%2Fgecps-v23.checkinasyst.com%3A7093%2Fsignin-oidc&aud=https%3A%2F%2Fap23sandbox.fhirapi.athenahealth.com%2FdemoAPIServer&client_id={client_id} (ii). Select Work Account. (iii). Login with credentials (user: hwinston@sboxprovtenant.com) provided in Athena Dev Portal's API access documentation prompts for below additional verification - Question - Is there a way to disable MFA for this user?

(3). Unable to install the devPortalPublicKey certificate as advised in previous comment; encountering below error when trying to install it. Please let me know if it is still require to install the certificate. If yes, please advise as to how can I resolve/workaround below error -

Could you please look into these issues and let me know your inputs on the same?

Thanks, Anurag

[Anurag-Asati]

Hi @deepaktiwari29

I was able to get through the previous issue with user login. I've below query related to the patient context in order to generate access token - (1). Login to CPS client application. (2). Select a patient in Registration module and go to Visit module for the same. (3). Click on the button (created using SQL statements) to launch SMART app. (4). Select Work Account and login. User is again prompted to search and select a patient. This is not expected as there is already a patient selected in CPS client application.

Question - When launching SMART application, how can we avoid user been prompted to select patient again and instead use patient selected in Registration module? I've tried replacing the scope "launch/patient" with "launch"; with scopes used - openid, profile, patient/*.read, launch, fhirUser; however encountered an error with the same.

Please advise.

Thanks, Anurag

[Anurag-Asati]

Hi @deepaktiwari29 @SChakravarthy-Athena I am encountering issue while reading launch context value launching SMART app from within CPS client application. As per documentation - https://build.fhir.org/ig/HL7/smart-app-launch/app-launch.html#launch-app-ehr-launch, when launching SMART app in EHR launch workflow, it should navigate to something like - https://app/launch?iss=https%3A%2F%2Fehr%2Ffhir&launch=xyz123. I've tried extracting launch code value accordingly, however am not receiving any value.

Could you please provide below inputs - (1). The parameters with exact names to get launch context value in EHR launch workflow? (2). Is there any documentation on Athena Dev Portal for the EHR launch flow?

Please let me know your inputs at the earliest.

Thanks, Anurag

[deepaktiwari29]

Hello @Anurag-Asati, Please find the response regarding your queries, Is there any additional registration required for the given user account, or do we need to use some other user account for login? Yes, you have register a User with the login name as the login credentials you are using. As we already have a user with name Harry Winston (hwinston), we recommend using login credentials provided in Athena Dev Portal's API access documentation (hwinston@sboxprovtenant.com). However, it appears that there was an issue with the mentioned credentials a few weeks ago, as we encountered the MFA screen as you mentioned in your earlier reply. This has been fixed, so you should be able to proceed.

Unable to install the devPortalPublicKey certificate We only needed to make sure you could access the URL for downloading the certificate. It looks like you were able to download it; there is no need to install it.

When launching SMART application, how can we avoid user been prompted to select patient again and instead use patient selected in Registration module? It seems you are missing the step of extracting the launch code and passing it in the authorize call. Please go through the release notes and check points d, e, f, and g under 'Sample React Sample App design details'. Can you check this and let us know if that helps.

[deepaktiwari29]

Hi @deepaktiwari29 @SChakravarthy-Athena I am encountering issue while reading launch context value launching SMART app from within CPS client application. As per documentation - https://build.fhir.org/ig/HL7/smart-app-launch/app-launch.html#launch-app-ehr-launch, when launching SMART app in EHR launch workflow, it should navigate to something like - https://app/launch?iss=https%3A%2F%2Fehr%2Ffhir&launch=xyz123. I've tried extracting launch code value accordingly, however am not receiving any value.

Could you please provide below inputs - (1). The parameters with exact names to get launch context value in EHR launch workflow? (2). Is there any documentation on Athena Dev Portal for the EHR launch flow?

Please let me know your inputs at the earliest.

Thanks, Anurag

Do check the comment on issue #214 which clarifies how you can simulate getting a launch code needed to invoke a SMART app using the iss and launch parameters

[Anurag-Asati]

Hi @deepaktiwari29 @SChakravarthy-Athena

I'm able to get the launch context from CPS client application. However, launching SMART application from Visit module and then trying to authenticate the user is generating below error - Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login. ---> Microsoft.AspNetCore.Authentication.AuthenticationFailureException: unauthorized_client;Description=Requested scope not authorized

Below is the entry from /Centricity Practice Solution/jboss/standalone/log/access.log -

Client 10.0.120.53 Time [07/Oct/2024:04:53:16 -0700] Worker gecps-v23 TotalTime 0.011 Status 200 BytesOut 54 Method GET Url /cpsdemo/ws/Services/rs/common/cacheVersionMap- Protocol HTTP/1.1 Client 10.0.120.53 Time [07/Oct/2024:04:53:38 -0700] Worker GECPS-V23.checkinasyst.com TotalTime 1.661 Status 200 BytesOut 2847 Method GET Url /cpsdemoAPIServer/oauth2/authorize?launch=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1jN2wzSXo5M2c3dXdnTmVFbW13X1dZR1BrbyIsImtpZCI6Ik1jN2wzSXo5M2c3dXdnTmVFbW13X1dZR1BrbyJ9.eyJhdWQiOiI0ZGQ2ZWFkMS1jY2I1LTRmNWYtYWIwNS1iYmVkMzFjYzZkNDMiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zMDdmZjlmMy0wNjEzLTRkYTUtOWYwNi1lYmRlYzhhOTFiZmIvIiwiaWF0IjoxNzI4MzAxNzE2LCJuYmYiOjE3MjgzMDE3MTYsImV4cCI6MTcyODMwNTYxNiwiYWlvIjoiazJCZ1lQQ29yajNXYzBmM3piVUR5bDFCMVNMczJZbFhONitlSDlWNTd3amZ0dDN2WmJNQSIsImFwcGlkIjoiOWIxNzJhNGYtZTM5MC00MDIzLWJkODAtNTE0N2IwYTI0Mjc2IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMzA3ZmY5ZjMtMDYxMy00ZGE1LTlmMDYtZWJkZWM4YTkxYmZiLyIsIm9pZCI6IjE0YzFiOTgxLWJjNGYtNDc2My1iYzdmLTA0YmRhOWJkOTc1NyIsInJoIjoiMC5BU29BOF9sX01CTUdwVTJmQnV2ZXlLa2ItOUhxMWsyMXpGOVBxd1c3N1RITWJVTXFBQUEuIiwic3ViIjoiMTRjMWI5ODEtYmM0Zi00NzYzLWJjN2YtMDRiZGE5YmQ5NzU3IiwidGlkIjoiMzA3ZmY5ZjMtMDYxMy00ZGE1LTlmMDYtZWJkZWM4YTkxYmZiIiwidXRpIjoiekJ4UEFZQXlRa3VBT0pCYU9DaEhBQSIsInZlciI6IjEuMCJ9.JacrOpQIMxUi9KQ0HjNm9ikmBaZHbgSp-qMHqqrufq8Cph0IyvleGEr0REZ6Iy7eH-qeQIdF62Tb9GILtQxjXTiU6H3RmBvf1OtKbEDo8bVqgL6TMgFQuqX9e1LNn7FJ_V0pyfCbIx16SXAvMHFDlgknA_CpM5M7aDlsHqGMH2vz4amb_vqxtSNDilyqSgyCltSbXwyj7tqvJ87G7V2lKkWkBqquL4I9EXVa5elac-24Ku42KGhHpIdDz2rFmM2k4dfVPO9PGhYM0kpLN7VH1LVTtgzEKI3ywaFgcMjZZTJq5ivXR19NsjN5EttU2AsIOCCgmkyCAVSXdX6bEyFm0Q&redirect_uri=https%3A%2F%2FGECPS-V23.checkinasyst.com%3A9443%2Fservicelayer&client_id=9b172a4f-e390-4023-bd80-5147b0a24276&scope=patient%2F.read+launch%2Fpatient+launch&user_name=hwinston&state=32c89db1-817e-4ed7-9253-b92b7e7e2721&aud=4dd6ead1-ccb5-4f5f-ab05-bbed31cc6d43&sync=true Protocol HTTP/1.1 Client 10.0.120.53 Time [07/Oct/2024:04:53:38 -0700] Worker gecps-v23 TotalTime 3.133 Status 200 BytesOut 187 Method POST Url /cpsdemo/ws/Services/rs/common/smartLaunchUrl- Protocol HTTP/2.0 Client 10.0.120.53 Time [07/Oct/2024:04:53:38 -0700] Worker GECPS-V23.checkinasyst.com TotalTime 0.141 Status 200 BytesOut 47 Method POST Url /cpsdemoAPIServer/session/create- Protocol HTTP/1.1 Client 10.0.120.53 Time [07/Oct/2024:04:53:46 -0700] Worker gecps-v23 TotalTime 0.009 Status 200 BytesOut 54 Method GET Url /cpsdemo/ws/Services/rs/common/cacheVersionMap- Protocol HTTP/1.1 Client 10.0.120.53 Time [07/Oct/2024:04:54:16 -0700] Worker gecps-v23 TotalTime 0.009 Status 200 BytesOut 54 Method GET Url /cpsdemo/ws/Services/rs/common/cacheVersionMap- Protocol HTTP/1.1 Client 10.0.120.53 Time [07/Oct/2024:04:54:46 -0700] Worker gecps-v23 TotalTime 0.008 Status 200 BytesOut 54 Method GET Url /cpsdemo/ws/Services/rs/common/cacheVersionMap- Protocol HTTP/1.1 Client 10.0.120.53 Time [07/Oct/2024:04:54:55 -0700] Worker gecps-v23.checkinasyst.com TotalTime 0.022 Status 302 BytesOut - Method GET Url /cpsdemoAPIServer/oauth2/authorize?client_id=eyJhbGciOiJSUzI1NiJ9.eyJjbGllbnRfdXJpIjoiaHR0cHM6XC9cL2dlY3BzLXYyMy5jaGVja2luYXN5c3QuY29tOjcwOTMiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiXSwiaXNzIjoiaHR0cHM6XC9cL215ZGF0YS5nZWhlYWx0aGNhcmUuY29tIiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczpcL1wvZ2VjcHMtdjIzLmNoZWNraW5hc3lzdC5jb206NzA5M1wvc2lnbmluLW9pZGMiXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJjbGllbnRfc2VjcmV0X2Jhc2ljIiwic29mdHdhcmVfaWQiOiIxLjAuMCIsIm5hdGl2ZV9jbGllbnQiOmZhbHNlLCJodHRwczpcL1wvbXlkYXRhLmdlaGVhbHRoY2FyZS5jb21cL29hdXRoMi5jbGFpbXNcL2FwcF9pZCI6Ijg2ZjNiYWFlLTgwOTUtNDZmNi05ZTAyLWI3OTA3ZjBmZDkyNyIsImV4cCI6MjA0MjE3OTQ0MSwiY2xpZW50X25hbWUiOiJEb2N1bWVudE1hbmFnZW1lbnRBcHAxLjAuMCIsImlhdCI6MTcyNjY0NjY0MSwiY29udGFjdHMiOlsiYW51cmFnYUBoZWFsdGhhc3lzdC5jb20iXSwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSJdfQ.TlB70dhmlQaTNxw0zpwaMUPAs0tXWcEpZdzGiPzUHfRdSC0OeEXb1HV6AQHhAocmOKZ_WTjBhB2lT9DjZc5fgO-OKkIxiFO3QjQ9WsfvzD5SgoWiFIF2gSCooHniCacyPc_MTRo0DzcUWSuiMbTeNKhf3qwE2aTrbgvfGjluzEg&scope=openid+profile+patient%2f.read+launch+fhirUser&response_type=code&redirect_uri=https%3a%2f%2fgecps-v23.checkinasyst.com%3a7093%2fsignin-oidc&state=CfDJ8IYIG7gSGCZHoDiRYSjPLaFHLEbIfQ978swyChwtpQfy6RG0maphNA9zKJ-xysZ5nx44ijzoyqCDnBQ6CBMkXXJCNeZVsb_2l6evWjGBZ70covXxccP_CHnbfBAk9JmON3nDdW80PxbsXfHQL798zA0WD0CiO9FB6TJ_GCjK7PstP815zyPp8n1qAljd2WPdfTwU8tUNyKzzvq89YZDHKqIdgZPfNKg3kUzrsPBWVHf1&aud=https%3a%2f%2fGECPS-V23.checkinasyst.com%3a9443%2fcpsdemoAPIServer%2ffhir%2fr4&launch=61a39c80-96d8-469c-9219-5f8bccc9f48a Protocol HTTP/1.1

Questions - (1). Error - Requested scope not authorized indicates incorrect scopes been used. Currently using scopes - openid, profile, patient/*.read, launch, fhirUser. What should be the scope change to avoid above error but to still get patient id for selected patient? (2). From the access.log entries, observed that there are two requests to authorize endpoint with different values for client_id and launch value. Why should there be 2 calls to the authorize endpoint and that too with different client IDs and launch values?

Please let me know your inputs.

Thanks, Anurag

[Anurag-Asati]

Hi @deepaktiwari29 @SChakravarthy-Athena While launching SMART app in EHR launch workflow, that is, launching SMART application from Visit module of CPS client application, I am using launch code and scopes - openid, profile, user/*.read, launch, fhirUser along with other necessary parameters to generate access token.

Questions - (1). I am assuming the launch code provides access for patient selected in CPS client application and hence the generated access token can be used to get details of selected patient. Please confirm if this is correct. (2). How to get patient ID of patient selected in CPS client application using the above access token?

Please let me know your inputs at the earliest?

Thanks, Anurag

[deepaktiwari29]

@Anurag-Asati Yes that's correct. We use the launch code to get the context of patient as per launch-app-ehr-launch Once your app is authorized, the token response will include the context data the app requested for. In your case, the patient ID you are looking will be present as part of access-token response. Please refer this for more details: aunch-context-arrives-with-your-access_token