DEV Community

InterSystems Developer for InterSystems

Posted on • Originally published at community.intersystems.com

1

Setup OAuth2 Client for iris-http-calls to Epic on FHIR

I have started working on utilizing Epic on FHIR about a month ago.

Creating a Public Private Key Pair

mkdir /home/ec2-user/path_to_key
openssl genrsa -out ./path_to_key/privatekey.pem 2048
Enter fullscreen mode Exit fullscreen mode

For backend apps, you can export the public key to a base64 encoded X.509 certificate named publickey509.pem using this command...

openssl req -new -x509 -key ./path_to_key/privatekey.pem -out ./path_to_key/publickey509.pem -subj '/CN=medbank'
Enter fullscreen mode Exit fullscreen mode

where '/CN=medbank' is the subject name (for example the app name) the key pair is for. The subject name does not have a functional impact in this case but it is required for creating an X.509 certificate.

Epic on FHIR is a free resource for developers who create apps

I registered my app “medbank” so that I could obtain a Client ID

Image description
I cut out Client IDs and edited Non-Production JWK Set URL to protect the real IP address.

Image description

Epic's documentation stated, your application makes a HTTP POST request to the authorization server's OAuth 2.0 token endpoint to obtain access token. I tried to write code, but I never succeeded in obtaining an access token.

I called InterSystems WRC for help.

We set up an OAuth2 client using the "JWT Authorization" grant type and "private key JWT" for authentication.

We then tried running this on the terminal using IsAuthorized() and GetAccessTokenJWT(), but it responded saying "invalid client ID".

A couple days later, we saw that the grant_type was actually supposed to be client_credentials, so we switched to using that by switching from GetAccessTokenJWT() to GetAccessTokenClient() and that made it work.

I want to implement Epic on FHIR as a use case for iris-http-calls

I used Docker to deploy iris-http-calls in AWS.

sudo docker build --no-cache --progress=plain . -t oliverwilms/iris-http-calls 2>&1 | tee build.log
sudo docker run -d -p57700:52773 oliverwilms/iris-http-calls
Enter fullscreen mode Exit fullscreen mode

I copied private and public key files with read access for IRIS

chmod 644 privatekey.pem
sudo docker cp ./privatekey.pem container_name:/home/irisowner/dev/ 
sudo docker cp ./publickey509.pem container_name:/home/irisowner/dev/
chmod 600 privatekey.pem
Enter fullscreen mode Exit fullscreen mode

I created X509 credentials in IRIS

Set oX509Credentials = ##class(%SYS.X509Credentials).%New()
Set oX509Credentials.Alias = "medbank"
Set tSC = oX509Credentials.LoadCertificate("/home/irisowner/dev/publickey509.pem")
Do $System.Status.DisplayError(tSC)
Set tSC = oX509Credentials.LoadPrivateKey("/home/irisowner/dev/privatekey.pem")
Do $System.Status.DisplayError(tSC)
Set tSC = oX509Credentials.%Save()
Do $System.Status.DisplayError(tSC)
Enter fullscreen mode Exit fullscreen mode

Set up an OAuth2 Client

http://localhost:57700/csp/sys/sec/%25CSP.UI.Portal.OAuth2.Client.ServerList.zen

Image description

Click on Create Server Description

Create Server Description

Image description
Fill in Issuer Endpoint, choose SSL/TLS Configuration and click on Discover and Save

https://fhir.epic.com/interconnect-fhir-oauth/oauth2
Enter fullscreen mode Exit fullscreen mode

Image description

I clicked Cancel and returned to

http://localhost:57700/csp/sys/sec/%25CSP.UI.Portal.OAuth2.Client.ServerList.zen

Image description

Click on Client Configurations link.

Create Client Configuration

Image description

Click on Create Client Configuration

Image description

Under General Tab, fill in Application Name:

medbank
Enter fullscreen mode Exit fullscreen mode

Choose Client Type Confidential

Choose SSL Configuration

Under Client redirect URL, fill in Host name

localhost
Enter fullscreen mode Exit fullscreen mode

Port

57700
Enter fullscreen mode Exit fullscreen mode

Uncheck Use TLS/SSL checkbox

Under Required grant types, check Client credentials

Under Authentication type, choose private key JWT

Under Authentication signing algorithm, choose RS384

Fill in Audience

https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token
Enter fullscreen mode Exit fullscreen mode

Image description

Under JWT Settings tab, check Create JWT Settings from X509 credentials checkbox. Choose your credentials from the dropdown. In the Signing column of the Access token algorithms row, choose RS384.

Image description

Under Client Credentials tab, I pasted the Non-Production Client ID I had received from Epic on FHIR. Client secret is required. I filled it in as x.

Image description

Important: Do not forget to click Save

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay