[Bug]: eclinicalworks/healow connection returns 403 on attempt to connect

[babbitt]

What happened?

When attempting to connect to a eclinicalworks/healow connection the link leads to a 403 response.

Tested on multiple eclinicalworks/healow providers.

Flavor

Docker

Version

main#f21ff8b

Relevant log output

Response from ec/healow server: 

{"error_description":"invalid_request","error":"403","error_uri":"http:https://www.hl7.org/fhir/smart-app-launch/"}

(Items replaced within [] are redacted for privacy)
URL: https://oauthserver.eclinicalworks.com/oauth/oauth2/authorize?redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fv1%2Fcallback%2Feclinicalworks&response_type=code&response_mode=query&state=[state]&client_id=[id]&scope=openid+fhirUser+offline_access+patient%2FPatient.read+patient%2FAllergyIntolerance.read+patient%2FAllergyIntolerance.search+patient%2FCarePlan.read+patient%2FCarePlan.search+patient%2FCareTeam.search+patient%2FCondition.read+patient%2FCondition.search+patient%2FDevice.read+patient%2FDevice.search+patient%2FDiagnosticReport.read+patient%2FDiagnosticReport.search+patient%2FDocumentReference.read+patient%2FDocumentReference.search+patient%2FBinary.read+patient%2FEncounter.read+patient%2FEncounter.search+patient%2FGoal.read+patient%2FGoal.search+patient%2FImmunization.read+patient%2FImmunization.search+patient%2FMedicationAdministration.read+patient%2FMedicationAdministration.search+patient%2FMedicationRequest.read+patient%2FMedicationRequest.search+patient%2FObservation.read+patient%2FObservation.search+patient%2FOrganization.read+patient%2FOrganization.search+patient%2FPatient.read+patient%2FPatient.search+patient%2FPractitioner.read+patient%2FPractitioner.search+patient%2FProcedure.read+patient%2FProcedure.search+patient%2FProvenance.read+patient%2FCareTeam.read+patient%2FMedication.read+patient%2FLocation.read+patient%2FPractitionerRole.read+patient%2FPractitionerRole.search&aud=https%3A%2F%2Ffhir4.healow.com%2Ffhir%2Fr4%2FHDFCBA%2F&code_challenge=[code]&code_challenge_method=S256

[AnalogJ]

confirmed, I'm seeing that with the Sandbox eClinicalWorks endpoint as well. Let me see whats going on

[AnalogJ]

Here's a working authorization url --- you have to copy the link, and paste it in the browser, healow doesn't like the Github Referral header.

https://oauthserver.eclinicalworks.com/oauth/oauth2/authorize?
redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fv1%2Fcallback%2Feclinicalworks
&response_type=code
&response_mode=query
&state=12345
&client_id=pOMgANKOG37yqQXUqRx8q8K-EmYvqsifZbDUhttb8bc
&scope=openid+fhirUser+offline_access+patient%2FPatient.read
&aud=https%3A%2F%2Ffhir4.healow.com%2Ffhir%2Fr4%2FHDFCBA
&code_challenge=XXXXXXX&code_challenge_method=S256

The change I made was to strip out the trailing / character (which was url encoded as %2F) from the aud query string parameter

When I migrated to my new catalog structure, I must have inadvertently broken this provider. I'll make this fix and release a new version of Fasten soon.

[AnalogJ]

hey @babbitt this should be fixed now, though I need to make a change on the fasten-onprem side as well for consistency.

I'll update you (and close this issue) once that pr is merged.

Thanks for bringing this to my attention!

[babbitt]

Confirmed working now. Many thanks! Seems like a great project!
(Leaving this open in case you wanted to use it as a reminder re PR)

[AnalogJ]

thanks! I've merged the fix to fasten-onprem as well :)