FHIR Chat · Epic app registration · smart

Stream: smart

Topic: Epic app registration

view this post on Zulip Josh Mandel (Jan 10 2022 at 21:54):

When registering a patient-facing app at fhir.epic.com it can be tricky to choose all (and only) the USCDI scopes, which is necessary to have your app registration broadcast to all participating providers.

I'm hoping Epic might add a feature to make this easier, because the cost of choosing incorrectly is high (if you discover you included too many scopes or too few after finalizing a registration, you need to re-start a new app registration from scratch and effectively throw out your old client). But in the meantime, here's a tip to help you select the right scopes:

  1. open the "Edit" page for your app, starting with no scopes selected
  2. open Chrome dev tools and run the following snippet, and
  3. click "Save" at the bottom of the form
Array.from(document.querySelectorAll("#WebServicesChosen option"))
  .filter(e => e.getAttribute("data-uscdi-readonly") == 'True')
  .forEach(e => e.setAttribute("selected", true))

view this post on Zulip Cooper Thompson (Jan 13 2022 at 20:01):

Yeah, I've found this annoying too (we have to create new clients any time we do a dry run for ONC certification). I really should have submitted an enhancement request for this a long time ago. Anyway, I just submitted one now, so we at least have the request on our backlog. No promises on if/when we'll be able to get it done (lots of other competing priorities...).

view this post on Zulip Cooper Thompson (Jan 13 2022 at 20:37):

And if you don't want all USCDI APIs, but just a subset, I crafted this snippet inspired by Josh's example that adds a USCDI tag to the web view so you can use the search box to narrow down to the USCDI APIs and pick the ones you want from there. No guarantees this will work forever. Disclaimer aside:

Array.from(document.querySelectorAll("#WebServicesChosen option"))
    .filter(e => e.getAttribute("data-uscdi-readonly") == 'True')
    .forEach(e => {
    var apiId=$(e).attr('value');
    var apiEntry = $('#availableWebServices a[id=' + apiId + ']');
    apiEntry.append(' (USCDI)');
    apiEntry.attr('filter-term',apiEntry.attr('filter-term') + ";USCDI");
    });

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:11):

(deleted)

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:13):

Josh Mandel said:

When registering a patient-facing app at fhir.epic.com it can be tricky to choose all (and only) the USCDI scopes, which is necessary to have your app registration broadcast to all participating providers.

I'm hoping Epic might add a feature to make this easier, because the cost of choosing incorrectly is high (if you discover you included too many scopes or too few after finalizing a registration, you need to re-start a new app registration from scratch and effectively throw out your old client). But in the meantime, here's a tip to help you select the right scopes:

  1. open the "Edit" page for your app, starting with no scopes selected
  2. open Chrome dev tools and run the following snippet, and
  3. click "Save" at the bottom of the form

Array.from(document.querySelectorAll("#WebServicesChosen option"))
  .filter(e => e.getAttribute("data-uscdi-readonly") == 'True')
  .forEach(e => e.setAttribute("selected", true))

@Josh Mandel -- would over-specifying scope cause OAuth to fail w/ production client ids?

view this post on Zulip Josh Mandel (Feb 09 2022 at 20:25):

This comment was about how to register a client to be associated with certain scopes. If you are asking about what happens at runtime if you request the scopes that you are not registered for... This is probably a question for the epic team. Historically Epic ignored the list of scopes requested at runtime. I'm not sure if that's true today.

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:29):

(deleted)

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:33):

Oh, I'm wondering what happens if you over-specify non-uscdi scopes in a particular "https://fhir.epic.com/Developer/<whatever>" app configuration page -- could that cause authentication to fail ?

(to a real EHR, eg: https://fhir.mah.org/prd-fhir/api/FHIR/R4/) with what appears to be a valid production client id.

view this post on Zulip Josh Mandel (Feb 09 2022 at 20:34):

I guess it's a question for Epic, but I don't see why that would cause anything to fail if you are in fact registered for that scope and your client registration has been completed

view this post on Zulip Josh Mandel (Feb 09 2022 at 20:34):

In my experience, the failure mode with registering for too many scopes is that you cannot have your app's registration automatically propagated to Epic clients

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:38):

Well, I've been trying to figure it out with them (on the open.epic free tier), and it's possible that "Automatic Client ID Distribution" is involved? (is this applicable to S4S?)

described here:
https://fhir.epic.com/Documentation?docId=patientfacingfhirapps

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:42):

Were you able to get production client ids working w/ real Epic portals (eg: for a test or demo, possibly looking at your own data?)

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:45):

(If we need to enable and configure auto-syncing, then what would the production client ID be for?)

I've registered another app, using the mechanism you described to add only uscdi scopes (and further limiting those to R4) -- wonder if that will make the production client id work.

view this post on Zulip erwin foxtree (Feb 09 2022 at 20:45):

Oh, BTW: the _non_-production client id for same app/s work with the free-tier Epic sandbox.

eg: https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/

view this post on Zulip Michele Mottini (Feb 09 2022 at 21:12):

Were you able to get production client ids working w/ real Epic portals

Yes, that definitely works

view this post on Zulip Josh Mandel (Feb 09 2022 at 21:52):

Yes, for me too.

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:22):

Oh, my, filtering and only adding uscdi scopes actually makes a difference, here:

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:22):

image.png

view this post on Zulip Josh Mandel (Feb 09 2022 at 22:24):

Yeah, there's an indication at the bottom of your app details page showing you whether it is or isn't eligible for automated registration with all the sites. Pick too many scopes and the indication flips to no.

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:24):

Yeah -- Only the ^last app configuration filters out non-uscid -- and it has >0 -- Client ID Downloads: 422 -- Previously, I had been adding all R4 "Read" scopes.

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:24):

this has been very helpful -- thanks a lot!

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:25):

Oh, I see what you're talking about, here:

view this post on Zulip Josh Mandel (Feb 09 2022 at 22:25):

Yeah, if you scroll all the way up to the top of this thread, that was why I documented this technique

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:25):

image.png

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:25):

"will" is green -- for every other app, it's:

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:26):

image.png

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:29):

But, you're totally right: The selection of USCID scopes should be automated and validated in that App configuration UI, somehow...

view this post on Zulip erwin foxtree (Feb 09 2022 at 22:31):

or maybe: the _non_-production client id should fail to work, if there were some sort of "USCID" checkbox...

view this post on Zulip Cooper Thompson (Feb 09 2022 at 23:24):

I've commented in a few other spots, but we (Epic) upgraded our sandbox to a new version recently, and had a few hiccups. Those should be resolved now.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -