FHIR Chat · Server rejects Resource read without proper authorization · inferno

Stream: inferno

Topic: Server rejects Resource read without proper authorization

view this post on Zulip Vishak OS (Feb 25 2019 at 18:24):

Hi, I'm curious about the test steps that are performed by the inferno test tool to reject any Resource read without proper authorization.
When i perform this test, i'm seeing a GET request to the Authorize Endpoint. I didn't understand the reason behind this request. Can someone please shed some light into this case.
Test Scenario:
Patient Resource:
Test Step: ARPA-01: Server rejects patient read without proper authorization
Result : Http Status Code 415.
URL Request: GET https://fhirServerURL/connect/authorize?client_id=XXXX and other parameters.

I was under the assumption that the test step would be to perform a GET request to the FHIR patient Resource with an invalid bearer token or wrong patientID with the correct bearer token.
Sample Request:
1. GET https://fhirServerURL/fhir/Patient/patientID with an invalid bearer token.
2. GET https://fhirServerURL/fhir/Patient/WrongPatientID with a valid bearer token

view this post on Zulip Robert Scanlon (Feb 25 2019 at 19:22):

I'm having trouble recreating your issue -- it appears to be working fine (the way you were expecting) for the servers that I have tested. Are you doing this on inferno.healthit.gov? If so, are you comfortable sending me the full Inferno testing URI so I can take a look at the state (eg https://inferno.heathit.gov/inferno/XYZ/developer) via email: rscanlon@mitre.org? If not, we can troubleshoot here.

view this post on Zulip Vishak OS (Feb 25 2019 at 19:34):

Thanks for the prompt reply.
Yes, I'm performing the test on inferno.healthit.gov
I can send the full inferno testing URI via email.

view this post on Zulip Robert Scanlon (Feb 25 2019 at 21:37):

Thanks! I think we tracked it down & responded to your email. If our theory is right I'll document here.

view this post on Zulip Vishak OS (Feb 26 2019 at 16:45):

Thanks! We were able to get track it down. There was a 401 Unauthorized to 302 redirect happening in our server.
I was able to rectify the issue in our server and get green check for the test step.

view this post on Zulip Vishak OS (Feb 26 2019 at 16:56):

Hi,
Just for reference,
The result of the Authorization Test -
1. I could find that the Inferno test tool was automatically testing for a request with no authorization header.
2. The test for a wrong patient ID is currently performed by manually tweaking a different patient ID.
3. For an Invalid Token and valid patient ID case is performed by manually tweaking the bearer token.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -