0

I've used SMART on FHIR to successfully pull test patient data from Epic's sandbox for a patient-facing app (it's a standalone launch). I'm trying now to pull real patient data from a health system but I keep getting the error when trying to authorize my app: "OAuth2 Error. Something went wrong trying to authorize the client. Please try logging in again."

When I was testing with sandbox data, I used this code as reference and then modified it to work for React. This is code I used to authorize my app:

function pullEpicData() {
    FHIR.oauth2.authorize({
        'client_id': {Non-Prod Client ID given by Epic},
        'scope':  'PATIENT.READ, PATIENT.SEARCH',
        'redirect_uri': {my website},
        'iss': 'https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/'
    })
}

This worked fine.

When I switched to prod mode, I used the following code to try to authorize my app:

function pullEpicData() {
    FHIR.oauth2.authorize({
        'client_id': {Prod Client ID given by Epic},
        'scope':  'PATIENT.READ, PATIENT.SEARCH',
        'redirect_uri': {my website},
        'iss': 'https://sfd.stanfordmed.org/FHIR/api/FHIR/R4/'
    })
}

However, this authorization keeps failing.

I didn't make any other changes to my code. Is there anything else I should be doing when switching from sandbox to prod to make the authorization work properly? I'm not using refresh tokens at the moment. Thanks!

mj23
  • 467
  • 3
  • 12
  • Have you tried reaching out to open@epic.com? – Lloyd McKenzie Jan 09 '22 at 18:12
  • Yes, I have tried that. – mj23 Jan 09 '22 at 19:01
  • Additional details would be helpful to be able to suggest a possible cause and solution. Is this a patient-facing or provider-facing app? If the latter, has Stanford the client IDs? Are you making a POST or GET call to the authorization endpoint? – Ashavan Jan 09 '22 at 22:03
  • @ExceptionAl edited! It's a patient-facing app! Thus, to my understanding, I don't need client IDs or authorization from Stanford to pull patient data. I don't think I'm doing either a POST or GET call? When the patient presses a certain button, I call a function call pullEpicData() which contains just the code written above. – mj23 Jan 10 '22 at 06:43
  • 1
    Client IDs (if they quality for autosync) to take up to 12 hours to sync to customer sites once you lock for PRD. Did you still see issues after 12 hours? Also, in your client registration, do you see that it was marked for "auto sync"? – Cooper Jan 10 '22 at 15:51
  • It wasn't being marked for auto-sync!! Hopefully, that's the issue. Thank you so much @Cooper! – mj23 Jan 10 '22 at 21:51
  • Cool. I added this same info as an answer so it is more visible. – Cooper Jan 11 '22 at 15:07

1 Answers1

1

There are two very common causes of this issue:

  1. Your client ID does not qualify for auto-sync.
  2. You didn't wait the ~12 hours for your client ID to sync.

For auto-sync, when you register a client ID, the APIs you select may disqualify you for auto-sync. If you don't qualify for auto-sync, then the healthcare organization you want to connect to just explicitly approve your app before it can be used to connect to their endpoints. There is an indicator near the bottom of the client registration form that indicates if you qualify for auto-sync or not.

Regardless of whether your app qualifies for auto-sync, or was explicitly approved by a health system, any changes to a client can take up to ~12 hours to sync (there is a job that runs every ~12 hours that downloads updates).

Other common OAuth2 connection issues are documented in our Troubleshooting Guide (requires login, but you can signup for an account for free).

Cooper
  • 1,267
  • 11
  • 16
  • Update: My client ID says that it will auto-sync and I've waited for almost 24 hours now but I'm still getting the same OAuth2 error :( – mj23 Jan 11 '22 at 18:27
  • I think I'm not setting a proper "aud" parameter but not sure what I'm supposed to set as a parameter and where. – mj23 Jan 11 '22 at 18:37
  • Hmm... for specific troubleshooting like that, I think I want to bump you over to our official support channel (open@epic.com). I want to get generic stuff on SO so folks can find it, but specific issues are best handled via open@epic.com. – Cooper Jan 12 '22 at 16:09
  • Update: it's working now! For some reason, Epic was still not a fun of which APIs I was asking permission to use (even though it would say that the client IDs would be automatically downloaded to customer systems). When I reduced which APIs I was asking permission for, it started working! – mj23 Jan 13 '22 at 17:43