Stream: CARIN IG for Blue Button®
Topic: 11/18-19 CARIN Connectathon - Aetna server
Michele Mottini (Nov 18 2020 at 14:45):
@Joel Hansen (Aetna) I registered on you developer portal, but I cannot figure out what the FHIR end point is, can you help?
Kate Skrocki (Nov 18 2020 at 15:42):
@Joel Hansen (Aetna) OneRecord registered our application but we are getting an error when calling the authorize endpoint. The error is: Missing aud or invalid value passed in Request
We are passing aud=https://vteapif1.aetna.com/fhirdemo/v1/patientaccess. Is there a different value we need to pass? Thanks!
Michele Mottini (Nov 18 2020 at 15:44):
OK, now I know the end point!
Bea Thompson (Nov 18 2020 at 16:36):
great!
Bea Thompson (Nov 18 2020 at 16:39):
Kate Skrocki said:
Joel Hansen (Aetna) OneRecord registered our application but we are getting an error when calling the authorize endpoint. The error is: Missing aud or invalid value passed in Request
We are passing aud=https://vteapif1.aetna.com/fhirdemo/v1/patientaccess. Is there a different value we need to pass? Thanks!
Kate - looking into your access, I sent Jennifer an email yesterday - did you guys create an application on the dev portal and subscribe to the API? If so I need to get you approved. Tx! Bea
Michele Mottini (Nov 18 2020 at 16:42):
I cannot connect because the CapabilityStatement does not contain the SMART OAuth2 URLs
Kate Skrocki (Nov 18 2020 at 16:48):
Hi Bea. Yes, Jennifer created an application yesterday. Thank you!
Bea Thompson (Nov 18 2020 at 16:48):
OK will reach out to our folks, will get back to you
Michele Mottini (Nov 18 2020 at 16:55):
I hard-coded the OAuth2 URLs to get around the problem but now I get:
<status>
<statusCode>400</statusCode>
<detail>Bad Request</detail>
<severity>E</severity>
<additionalStatus>
<statusCode>400</statusCode>
<serviceName>v1fhirserverauthoauth2authorization</serviceName>
<detail>Missing code_challenge in Request</detail>
<severity>E</severity>
<loginAttempts>No Login Attempts made</loginAttempts>
</additionalStatus>
</status>
from the authorization page at https://vteapif1.aetna.com/fhirdemo/v1/fhirserver_auth/oauth2/authorize. Is it expecting PKCE?
Bea Thompson (Nov 18 2020 at 16:58):
Kate - you guys haven't subscribed to the API - go into Your applications, under your app click API's you should see a subscribe now button pop up to the left in the purple bar. Once you subscribe I can approve it. Thanks! Bea
Janice Hsieh (Nov 18 2020 at 17:01):
Michele - did you use the test members on our developer portal site to login?
Michele Mottini (Nov 18 2020 at 17:01):
I cannot get to the login form - I get the error I posted above
Janice Hsieh (Nov 18 2020 at 17:02):
PKCE is required for members accessing the smart app though user token
Kate Skrocki (Nov 18 2020 at 17:04):
@Bea Thompson We are now subscribed. Please let me know when we are approved. Thank you!
Bea Thompson (Nov 18 2020 at 17:05):
Great - will ask developers now
Michele Mottini (Nov 18 2020 at 17:07):
PKCE is required for members accessing the smart app though user token
That is not compliant with SMART auth
Bea Thompson (Nov 18 2020 at 17:07):
@Kate Skrocki You should be good to go!
Kate Skrocki (Nov 18 2020 at 17:08):
Thanks @Bea Thompson will try again.
Janice Hsieh (Nov 18 2020 at 17:30):
@Michele Mottini our understanding is that provider can impose PKCE as additional security and it's recommended by our security team. Can you point out the SMART auth spec that says PKCE is not compliant?
Michele Mottini (Nov 18 2020 at 17:33):
It is never even mentioned in the SMART specs - so you cannot impose it @Josh Mandel
James Kizer (Nov 18 2020 at 17:34):
Is there any update on the CapabilityStatement not containing the OAuth 2 urls? CommonHealth uses the CapabilityStatement for authorization / token endpoint discovery and we're blocked without them
Ryan Howells (Nov 18 2020 at 17:40):
@Janice Hsieh Yea, @Michele Mottini is correct. The SMART auth spec is required under the CMS rule. Here's the relevant section and link to the rule. https://www.govinfo.gov/content/pkg/FR-2020-05-01/pdf/2020-05050.pdf We are all learning as we go!
C. Application Programming Interface (API) Standard
In section III.C.2.b. of the CMS Interoperability and Patient Access proposed rule, we proposed to require compliance with the API technical standard proposed by ONC for HHS adoption at 45 CFR 170.215 as finalized (84 FR 7589). By requiring compliance with 45 CFR 170.215, we proposed to require use of the foundational Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR)
standard, several implementation specifications specific to FHIR, and complementary security and app registration protocols, specifically the Substitutable Medical Applications, Reusable Technologies (SMART) Application Launch Implementation Guide (IG) 1.0.0 (including mandatory support for ‘‘refresh tokens,’’ "Standalone Launch,’’ and ‘‘EHR Launch’’ requirements), which is a profile of the OAuth 2.0 specification, as well as the OpenID Connect Core 1.0 standard, incorporating errata set 1.
Barbara Valeno (Nov 18 2020 at 17:43):
Hi Ryan/Michele, yes we do realize SMART is required & are complying.... however, we understood that we could add on top of SMART, as long as it didn't conflict
Michele Mottini (Nov 18 2020 at 17:44):
You can add PKCE but your cannot _require_ it
Kate Skrocki (Nov 18 2020 at 17:57):
@Bea Thompson We are still getting a "Missing aud or invalid value passed in Request" error when attempting to call authorize. We are passing aud as aud=https://vteapif1.aetna.com/fhirdemo/v1/patientaccess. Thanks.
Barbara Valeno (Nov 18 2020 at 18:02):
@Michele Mottini our security team is requiring PKCE for public endpoint... & it appears at least one other payer is doing the same
Janice Hsieh (Nov 18 2020 at 18:09):
Kate - Please use aud=https://vteapif1.aetna.com/fhirdemo
Kate Skrocki (Nov 18 2020 at 18:13):
Thankyou @Janice Hsieh . That worked.
Janice Hsieh (Nov 18 2020 at 18:41):
James, we are working on updating the capability statement.
James Kizer (Nov 18 2020 at 18:48):
Janice Hsieh said:
James, we are working on updating the capability statement.
Thanks @Janice Hsieh
Janice Hsieh (Nov 18 2020 at 18:57):
Kate Skrocki said:
Thankyou Janice Hsieh . That worked.
@Kate Skrocki are you able to connect to our patient API?
Kate Skrocki (Nov 18 2020 at 19:29):
@Janice Hsieh We are getting an invalid_grant error when attempting to retrieve a token.
Barbara Valeno (Nov 18 2020 at 19:39):
@Kate Skrocki are you able to join the zoom Aetna breakout? maybe we can talk through & help resolve there
Kate Skrocki (Nov 18 2020 at 20:02):
@Barbara Valeno I was able to load the Patient resource. Thanks again!
Barbara Valeno (Nov 18 2020 at 20:06):
@Kate Skrocki great! any chance you can send me a screen shot showing the patient data?
Kate Skrocki (Nov 18 2020 at 20:07):
@Barbara Valeno It's just in Postman right now, I will get it configured in our app and retest. Thanks.
Janice Hsieh (Nov 18 2020 at 20:36):
@James Kizer can you join the breakout session to see if we can work around the capability statement?
Barbara Valeno (Nov 18 2020 at 20:55):
@Kate Skrocki 0 HI Kate - would you be able to demo your testing with us at tomorrow's "demo" session?
Kate Skrocki (Nov 18 2020 at 21:05):
@Barbara Valeno we have a bit more config and testing to do to call it from our app. Let me confirm that we can get that all working and get back to you. Thanks.
Barbara Valeno (Nov 18 2020 at 21:36):
@Kate Skrocki sounds good - thank you
Last updated: Apr 12 2022 at 19:14 UTC
