Setup OAuth2 Client for iris-http-calls to Epic on FHIR
I have started working on utilizing Epic on FHIR about a month ago. Creating a Public Private Key Pair mkdir /home/ec2-user/path_to_key openssl genrsa -out ./path_to_key/privatekey.pem 2048 For backend apps, you can export the public key to a base64 encoded X.509 certificate named publickey509.pem using this command... openssl req -new -x509 -key ./path_to_key/privatekey.pem -out ./path_to_key/publickey509.pem -subj '/CN=medbank' where '/CN=medbank' is the subject name (for example the app name) the key pair is for. The subject name does not have a functional impact in this case but it is required for creating an X.509 certificate. Epic on FHIR is a free resource for developers who create apps I registered my app “medbank” so that I could obtain a Client ID I cut out Client IDs and edited Non-Production JWK Set URL to protect the real IP address. Epic's documentation stated, your application makes a HTTP POST request to the authorization server's OAuth 2.0 token endpoint to obtain access token. I tried to write code, but I never succeeded in obtaining an access token. I called InterSystems WRC for help. We set up an OAuth2 client using the "JWT Authorization" grant type and "private key JWT" for authentication. We then tried running this on the terminal using IsAuthorized() and GetAccessTokenJWT(), but it responded saying "invalid client ID". A couple days later, we saw that the grant_type was actually supposed to be client_credentials, so we switched to using that by switching from GetAccessTokenJWT() to GetAccessTokenClient() and that made it work. I want to implement Epic on FHIR as a use case for iris-http-calls I used Docker to deploy iris-http-calls in AWS. sudo docker build --no-cache --progress=plain . -t oliverwilms/iris-http-calls 2>&1 | tee build.log sudo docker run -d -p57700:52773 oliverwilms/iris-http-calls I copied private and public key files with read access for IRIS chmod 644 privatekey.pem sudo docker cp ./privatekey.pem container_name:/home/irisowner/dev/ sudo docker cp ./publickey509.pem container_name:/home/irisowner/dev/ chmod 600 privatekey.pem I created X509 credentials in IRIS Set oX509Credentials = ##class(%SYS.X509Credentials).%New() Set oX509Credentials.Alias = "medbank" Set tSC = oX509Credentials.LoadCertificate("/home/irisowner/dev/publickey509.pem") Do $System.Status.DisplayError(tSC) Set tSC = oX509Credentials.LoadPrivateKey("/home/irisowner/dev/privatekey.pem") Do $System.Status.DisplayError(tSC) Set tSC = oX509Credentials.%Save() Do $System.Status.DisplayError(tSC) Set up an OAuth2 Client http://localhost:57700/csp/sys/sec/%25CSP.UI.Portal.OAuth2.Client.ServerList.zen Click on Create Server Description Create Server Description Fill in Issuer Endpoint, choose SSL/TLS Configuration and click on Discover and Save https://fhir.epic.com/interconnect-fhir-oauth/oauth2 I clicked Cancel and returned to http://localhost:57700/csp/sys/sec/%25CSP.UI.Portal.OAuth2.Client.ServerList.zen Click on Client Configurations link. Create Client Configuration Click on Create Client Configuration Under General Tab, fill in Application Name: medbank Choose Client Type Confidential Choose SSL Configuration Under Client redirect URL, fill in Host name localhost Port 57700 Uncheck Use TLS/SSL checkbox Under Required grant types, check Client credentials Under Authentication type, choose private key JWT Under Authentication signing algorithm, choose RS384 Fill in Audience https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token Under JWT Settings tab, check Create JWT Settings from X509 credentials checkbox. Choose your credentials from the dropdown. In the Signing column of the Access token algorithms row, choose RS384. Under Client Credentials tab, I pasted the Non-Production Client ID I had received from Epic on FHIR. Client secret is required. I filled it in as x. Important: Do not forget to click Save
I have started working on utilizing Epic on FHIR about a month ago.
Creating a Public Private Key Pair
mkdir /home/ec2-user/path_to_key
openssl genrsa -out ./path_to_key/privatekey.pem 2048
For backend apps, you can export the public key to a base64 encoded X.509 certificate named publickey509.pem using this command...
openssl req -new -x509 -key ./path_to_key/privatekey.pem -out ./path_to_key/publickey509.pem -subj '/CN=medbank'
where '/CN=medbank' is the subject name (for example the app name) the key pair is for. The subject name does not have a functional impact in this case but it is required for creating an X.509 certificate.
Epic on FHIR is a free resource for developers who create apps
I registered my app “medbank” so that I could obtain a Client ID
I cut out Client IDs and edited Non-Production JWK Set URL to protect the real IP address.
Epic's documentation stated, your application makes a HTTP POST request to the authorization server's OAuth 2.0 token endpoint to obtain access token. I tried to write code, but I never succeeded in obtaining an access token.
I called InterSystems WRC for help.
We set up an OAuth2 client using the "JWT Authorization" grant type and "private key JWT" for authentication.
We then tried running this on the terminal using IsAuthorized() and GetAccessTokenJWT(), but it responded saying "invalid client ID".
A couple days later, we saw that the grant_type was actually supposed to be client_credentials, so we switched to using that by switching from GetAccessTokenJWT() to GetAccessTokenClient() and that made it work.
I want to implement Epic on FHIR as a use case for iris-http-calls
I used Docker to deploy iris-http-calls in AWS.
sudo docker build --no-cache --progress=plain . -t oliverwilms/iris-http-calls 2>&1 | tee build.log
sudo docker run -d -p57700:52773 oliverwilms/iris-http-calls
I copied private and public key files with read access for IRIS
chmod 644 privatekey.pem
sudo docker cp ./privatekey.pem container_name:/home/irisowner/dev/
sudo docker cp ./publickey509.pem container_name:/home/irisowner/dev/
chmod 600 privatekey.pem
I created X509 credentials in IRIS
Set oX509Credentials = ##class(%SYS.X509Credentials).%New()
Set oX509Credentials.Alias = "medbank"
Set tSC = oX509Credentials.LoadCertificate("/home/irisowner/dev/publickey509.pem")
Do $System.Status.DisplayError(tSC)
Set tSC = oX509Credentials.LoadPrivateKey("/home/irisowner/dev/privatekey.pem")
Do $System.Status.DisplayError(tSC)
Set tSC = oX509Credentials.%Save()
Do $System.Status.DisplayError(tSC)
Set up an OAuth2 Client
http://localhost:57700/csp/sys/sec/%25CSP.UI.Portal.OAuth2.Client.ServerList.zen
Click on Create Server Description
Create Server Description
Fill in Issuer Endpoint, choose SSL/TLS Configuration and click on Discover and Save
https://fhir.epic.com/interconnect-fhir-oauth/oauth2
I clicked Cancel and returned to
http://localhost:57700/csp/sys/sec/%25CSP.UI.Portal.OAuth2.Client.ServerList.zen
Click on Client Configurations link.
Create Client Configuration
Click on Create Client Configuration
Under General Tab, fill in Application Name:
medbank
Choose Client Type Confidential
Choose SSL Configuration
Under Client redirect URL, fill in Host name
localhost
Port
57700
Uncheck Use TLS/SSL checkbox
Under Required grant types, check Client credentials
Under Authentication type, choose private key JWT
Under Authentication signing algorithm, choose RS384
Fill in Audience
https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token
Under JWT Settings tab, check Create JWT Settings from X509 credentials checkbox. Choose your credentials from the dropdown. In the Signing column of the Access token algorithms row, choose RS384.
Under Client Credentials tab, I pasted the Non-Production Client ID I had received from Epic on FHIR. Client secret is required. I filled it in as x.
Important: Do not forget to click Save
