[HSPC DEV] unnecessary launch scope required

Description

Investigate this issue:

Yuriy Flyud

I have registered an app in a sandbox to be able to launch it outside of EHR but authorise a user on some action (and select a patient on launch). I set the scope to "patient/*.read launch/patient" in app config.
When I call the https://auth.logicahealth.org/authorize endpoint with scope "launch/patient patient/*.read" - it returns an error:

error=invalid_scope&error_description=Invalid scope; requested:[patient/.read, launch]&state=44ca770d-260f-4e0f-b47d-643c5422d00b&scope=patient/.read launch/patient.

Please notice that I set "patient/.read launch/patient" in both app config and authorization endpoint call, but it says requested:[patient/.read, launch]. When I add "launch" scope to app config - everything starts working.

I'm just wondering - is adding a launch scope mandatory if I'm not going to launch an app from EHR?

Activity

Show:
Gopal Menon
October 1, 2020, 7:10 PM

I could not recreate the error that he is seeing. I did try and change the url in the authorize screen to say patient/.read. Then I got the following error.

https://bilirubin-risk-chart.logicahealth.org/app.html?error=invalid_scope&error_description=Invalid scope; requested:[patient/.read, launch]&state=3e330410-890b-9352-284a-fa81b432636c&scope=patient/Patient.read patient/*.read openid profile patient/Observation.read user/*.read launch patient/*.write fhirUser patient/Observation.write

It does not look like patient/.read is valid and it should be patient/*.read. Asked Yuriy what exactly he is sending in.

Gopal Menon
October 1, 2020, 7:16 PM

He says: I launch it outside of EHR, not from a sandbox. A have some button on Ui which redirects me to /authorize endpoint.

I asked him: Are you maybe sending in patient/.read instead of patient/*.read?

Response from Yuriy:

No, I copied scope values from app config. I will check again soon, will try to provide a test app to reproduce the issue.

Gopal Menon
October 1, 2020, 7:47 PM

Is it related to this issue?

Shilpy Sharma
October 1, 2020, 8:53 PM

Yes, seems to be related.

Gopal Menon
October 12, 2020, 10:09 PM

Travis says that for embedded launch, we should send launch instead of launch/patient. Yuriy is doing a standalone launch and should not have to send launch. However Travis says that our implementation may not be correct for all scenarios.

Assignee

Gopal Menon

Reporter

Shilpy Sharma

Labels

None

Priority

Major
Configure