Investigate this issue:
I have registered an app in a sandbox to be able to launch it outside of EHR but authorise a user on some action (and select a patient on launch). I set the scope to "patient/*.read launch/patient" in app config.
When I call the https://auth.logicahealth.org/authorize endpoint with scope "launch/patient patient/*.read" - it returns an error:
error=invalid_scope&error_description=Invalid scope; requested:[patient/.read, launch]&state=44ca770d-260f-4e0f-b47d-643c5422d00b&scope=patient/.read launch/patient.
Please notice that I set "patient/.read launch/patient" in both app config and authorization endpoint call, but it says requested:[patient/.read, launch]. When I add "launch" scope to app config - everything starts working.
I'm just wondering - is adding a launch scope mandatory if I'm not going to launch an app from EHR?
I could not recreate the error that he is seeing. I did try and change the url in the authorize screen to say patient/.read. Then I got the following error.
https://bilirubin-risk-chart.logicahealth.org/app.html?error=invalid_scope&error_description=Invalid scope; requested:[patient/.read, launch]&state=3e330410-890b-9352-284a-fa81b432636c&scope=patient/Patient.read patient/*.read openid profile patient/Observation.read user/*.read launch patient/*.write fhirUser patient/Observation.write
It does not look like patient/.read is valid and it should be patient/*.read. Asked Yuriy what exactly he is sending in.
He says: I launch it outside of EHR, not from a sandbox. A have some button on Ui which redirects me to /authorize endpoint.
I asked him: Are you maybe sending in patient/.read instead of patient/*.read?
Response from Yuriy:
No, I copied scope values from app config. I will check again soon, will try to provide a test app to reproduce the issue.
Is it related to this issue?
Yes, seems to be related.
Travis says that for embedded launch, we should send launch instead of launch/patient. Yuriy is doing a standalone launch and should not have to send launch. However Travis says that our implementation may not be correct for all scenarios.