[HSPC DEV] unnecessary launch scope required


Investigate this issue:

Yuriy Flyud

I have registered an app in a sandbox to be able to launch it outside of EHR but authorise a user on some action (and select a patient on launch). I set the scope to "patient/*.read launch/patient" in app config.
When I call the https://auth.logicahealth.org/authorize endpoint with scope "launch/patient patient/*.read" - it returns an error:

error=invalid_scope&error_description=Invalid scope; requested:[patient/.read, launch]&state=44ca770d-260f-4e0f-b47d-643c5422d00b&scope=patient/.read launch/patient.

Please notice that I set "patient/.read launch/patient" in both app config and authorization endpoint call, but it says requested:[patient/.read, launch]. When I add "launch" scope to app config - everything starts working.

I'm just wondering - is adding a launch scope mandatory if I'm not going to launch an app from EHR?


Gopal Menon
October 1, 2020, 7:10 PM

I could not recreate the error that he is seeing. I did try and change the url in the authorize screen to say patient/.read. Then I got the following error.

https://bilirubin-risk-chart.logicahealth.org/app.html?error=invalid_scope&error_description=Invalid scope; requested:[patient/.read, launch]&state=3e330410-890b-9352-284a-fa81b432636c&scope=patient/Patient.read patient/*.read openid profile patient/Observation.read user/*.read launch patient/*.write fhirUser patient/Observation.write

It does not look like patient/.read is valid and it should be patient/*.read. Asked Yuriy what exactly he is sending in.

Gopal Menon
October 1, 2020, 7:16 PM

He says: I launch it outside of EHR, not from a sandbox. A have some button on Ui which redirects me to /authorize endpoint.

I asked him: Are you maybe sending in patient/.read instead of patient/*.read?

Response from Yuriy:

No, I copied scope values from app config. I will check again soon, will try to provide a test app to reproduce the issue.

Gopal Menon
October 1, 2020, 7:47 PM

Is it related to this issue?

Shilpy Sharma
October 1, 2020, 8:53 PM

Yes, seems to be related.

Gopal Menon
October 12, 2020, 10:09 PM

Travis says that for embedded launch, we should send launch instead of launch/patient. Yuriy is doing a standalone launch and should not have to send launch. However Travis says that our implementation may not be correct for all scenarios.


Gopal Menon


Shilpy Sharma