Stream: finnish PHR
Topic: Sandbox
Hannu Korhonen (Oct 09 2017 at 07:04):
Hi,
why http://fhirsandbox.kanta.fi is empty and create resources fails?
SOLVED - There was a confusion about how sandbox shows resources and search function not returning CodeSystems like our own HAPI server.
Mika Tuomainen (Oct 09 2017 at 12:21):
@
Jukka Pirinen (Nov 01 2017 at 05:55):
Terve, is authorization sandbox down or have there been some changes in accessing it? https://fhirsandbox2.kanta.fi/openid-connect-kela/registeruser returns ERR_CONNECTION_RESET (Chrome)
Eeva Turkka (Nov 06 2017 at 14:06):
The address has changed to https://fhirsandbox2-auth.kanta.fi/phr-authserver-sandbox/
This page has all the relevant addresses etc: http://www.kanta.fi/en/web/ammattilaisille/tarkeaa-tietoa-kehittajille
Hannu Korhonen (Nov 09 2017 at 07:53):
Warning!
Failed to load capability statement, error was: ca.uhn.fhir.rest.server.exceptions.InternalErrorException: HTTP 500 Internal Server Error
problems in sandbox environment?
Eeva Turkka (Nov 09 2017 at 09:37):
Not problems, but scheduled update to fix some findings from last week. Everything should be up and running right now!
The updates are announced here: http://www.kanta.fi/fi/web/ammattilaisille/omakannan-omatietovaranto
Timo Aaltonen (Nov 24 2017 at 09:59):
The server fhirsandbox2-auth.kanta.fi does not seem to return OAuth refresh token. We are able to get only the access_token, whose TTL is one hour. Is this a bug or feature?
Eeva Turkka (Nov 28 2017 at 09:45):
Might be due to your client configuration, if you pm me the client id we'll check it! Or if you want to reconfigure it yourself check that it has "offline_access" scope and "refresh tokens are granted" checkbox is set.
Edited to add: if it uses the professional grant type and not the authorization grant flow, then it is feature and as it should be.
Mikael Rinnetmäki (Nov 29 2017 at 15:56):
@Eeva Turkka @Timo Aaltonen I just noticed the same. Before, I got the token with "openid" "profile" "offline_access" all set, and was able to refresh that token too. I then added some other scopes, and fetched a new token. Now the authorization process seems to ignore those scopes, and always returns a token without any of them.
Mikael Rinnetmäki (Nov 29 2017 at 15:57):
Also, I wasn't able to get StructureDefinition.read / StructureDefinition.write scopes for the app, although I did add them to the client definition in the auth server, and also to the auth request.
Eeva Turkka (Nov 29 2017 at 20:11):
Did you list all of the scopes together including the offline_access from before when you added more scopes? Our regression set keeps getting refreshed tokens so I need a bit more info to figure this one out :)
Mikael Rinnetmäki (Nov 29 2017 at 20:15):
Yes. Before the change the app was specified as having scopes "patient/MedicationAdministration.write patient/MedicationAdministration.read openid offline_access profile patient/Observation.read patient/Observation.write" and the auth request requested for "openid profile patient/Observation.read patient/Observation.write patient/MedicationAdministration.read patient/MedicationAdministration.write offline_access".
Mikael Rinnetmäki (Nov 29 2017 at 20:15):
It used to work, but does not anymore. Even with that same configuration, the authorization process only yields the limited scope to the token.
Eeva Turkka (Nov 29 2017 at 20:19):
We'll try to reproduce this and if we cannot we'll ask for more details! (@Matti Uusitalo pinging you in case I forget to mention this tomorrow morning)
Eeva Turkka (Nov 30 2017 at 07:28):
We've managed to reproduce this, this is cause by a bug that doesn't authorize citizen-clients to use those scopes (but if they were authorized, they remain so, so new authorization request removes them.). This is not intended and will be fixed in next update!
Juha Leppänen (Dec 08 2017 at 08:12):
Has there been any changes in the authorization? It used to work in October when I last checked it. Now I am getting {"error":"unauthorized","error_description":"No AuthenticationProvider found for fi.kela.kanta.phr.auth.token.PhrOidAuthenticationToken"} when executing the 2nd phase i.e. https://fhirsandbox2-auth.kanta.fi/phr-authserver-sandbox/token.
Mikael Rinnetmäki (Dec 08 2017 at 09:10):
I confirm this is now working, and I get 'openid', 'profile', and 'access_token' scopes as expected.
Mikael Rinnetmäki (Dec 08 2017 at 09:11):
I don't get scopes for reading and writing StructureDefinitions, though. So I assume I can't do that programmatically, rather I must use the user interface of the non-authenticating sandbox.
Mikael Rinnetmäki (Dec 08 2017 at 09:12):
(meant to say the issue with scopes is working, not to comment on PhrOidAuthenticationToken)
Eeva Turkka (Dec 11 2017 at 12:47):
This looks very much like an issue we need to check! I've asked our testing to check if they can reproduce this, but if not I'll ask for more details.
Last updated: Apr 12 2022 at 19:14 UTC
