Hi @jon.goody, thank you for you and your colleagues time today. I’ve had a more in depth look at the logs captured during our catch up but unfortunately have not spotted the root cause, it looks like the access token is being assigned the correct scopes.
However, looking back through the post I noticed a screenshot where the access token is used to call e-RS. It has an [authToken] attribute. Could you confirm that the token is passed using the “Authorization” header conforming to the pattern “Bearer [TOKEN]”
e.g.
curl -X GET https://int.api.service.nhs.uk/hello-world/hello/user\
-H “Authorization: Bearer [your access token]”\
I wonder if you get the same result with the access token using postman or CURL? It would be good to see the raw HTTP request, as we are wondering if the request is getting malformed somehow. Might be worth a try to rule it out?
Many thanks!
Hi @sophie.clayton12
I have reviewed the code relating to the e-RS [authToken] attribute. It seems we set the header for Authorization but not include the word ‘Bearer’.
After amending the code to be the following we have got further:
“Authorization: Bearer [your access token]”
The response now getting is as follows:
Looking at the returned response from eRS API i am now connected but getting the following:
I will get one of my colleagues to review the error message below tomorrow to see if business function, organisation role etc… is correct.
“The logged in user is not authorised to perform the requested action (e.g. due to their business function not being authorised, organisation not having the appropriate organisation role, legitimate relationship, referrer”
I am on leave from tomorrow afternoon until Tuesday so will respond back then depending on our findings but seems we are a step closer now.
I have noticed another thread talking about this: 403:Forbidden. The logged In user Is Not authorised (A005 on DEP)
Has our application been configured correctly against our application ID ff20dedf-6bef-4b83-8455-4cd3bfe5f01a
Regards
Jon
Hi @jon.goody,
The error response payload contains an OperationOutcome resource that contains the reason for the error.
Looking at the last request you made the response was as follows:
HTTP 403:
"meta": {
"profile": [
"https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
]
},
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "forbidden",
"details": {
"coding": [
{
"code": "FORBIDDEN",
"system": "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1",
"display": "Forbidden"
}
]
},
"diagnostics": "On Behalf Of User ID (9983451282) provided is invalid or not in the list of allowed OBO Users."
}
]
}
You are attempting to authenticate as User 555267527104 at NHSD-End-User-Organisation-ODS=RB8 as a NHSD-eRS-Business-Function=SERVICE_PROVIDER_CLINICIAN_ADMIN (SPCA).
You are providing NHSD-eRS-On-Behalf-Of-User-ID=9983451282 but this is not a user the current SPCA user is authorised to act on behalf of.
You can use Retrieve “on-behalf-of” practitioner user information (A040, FHIR R4) to determine what users an authenticated SPCA can act on behalf of.
Note: For future queries please try to include an X-Correlation-ID so we can easily identify the request.
Regards,
Adam.
Hi @adam.oldfield
We are still struggling to get any further with this. We have setup a new clinic and made sure the care provider is in the work group associated with the eRS clinic which also has the correct business function.
See below latest trace:
X-Corrolate-ID: 8050AAAC-04C8-11F0-9F08-005056B4EE83
Auth Token: qDrgtq6Kf3mfz7NGKUjgMief7yaA
ERS Business Function: SERVICE_PROVIDER_CLINICIAN_ADMIN
End User Org: RB8
Response object when retrieving documents:
{“meta”:{“profile”:[“https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"]},“resourceType”:“OperationOutcome”,“issue”:[{“severity”:“error”,“code”:“forbidden”,“details”:{“coding”:[{“code”:“FORBIDDEN”,“system”:“https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1”,“display”:“Forbidden”}]},“diagnostics”:"On Behalf Of User ID (555045992108) provided is invalid or not in the list of allowed OBO Users.”}]}
Can you confirm why this user is stating invalid or if this is not the issue and relates to the OBO Users can you confirm where this needs to be defined please.
Hi @jon.goody,
I would advise using Retrieve “on-behalf-of” practitioner user information (A040, FHIR R4) to determine what users the SPCA can act on behalf of.
For this specific request it looks like you are authenticating as 555045992108 as a SPCA and trying to login on behalf of 555045992108 (the same user). This is not allowed as in this case you would just select the SPC role.
The rules for determining the users that an SPCA can act on behalf of:
- All the Service Provider Clinicians (excluding themself) from all Service Provider Workgroups that the Professional User is a member of for the chosen e-RS Organisation.
So if you are authenticating as User A as an SPCA and you want to act on behalf of User B. Then User B must share a workgroup with User A (at that organisation) and have the SPC role.
If you have an example that doesn’t work (when you aren’t using the same user) then let me know and we can try to troubleshoot.
Hopefully that helps.
Regards,
Adam.
Hi Adam
We have tried to use a different user this time to call eRS endpoint and get a completely different message.
X-Correlate-ID: 1961E400-04E1-11F0-9F3C-005056B4EE83
{“meta”:{“profile”:[“https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"]},“resourceType”:“OperationOutcome”,“issue”:[{“severity”:“error”,“code”:“forbidden”,“details”:{“coding”:[{“code”:“FORBIDDEN”,“system”:“https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1”,“display”:“Forbidden”}]},“diagnostics”:"The ASID (200000000068) does not have the interaction (urn:nhs:names:services:ers:GENERATE_CRI_STU3_V001) required to call this endpoint.”}]}
The UUID for my card is 555267527104
The eRS clinic is associated with 555045992108
As you can see i am associated with the eRS clinic
Can you please advise what is missing.
Regards
Jon
Hi @jon.goody,
The fact you have that different error suggests that the user authentication has succeeded.
It is now validating that your Accredited System has access to the API you are calling.
It looks like ASID 200000000068 (which is bound to your APIM Application) does not have any of the interactions required to access the e-RS APIs in the Integration environment.
This should have been configured during onboarding, so I’m not sure what has gone wrong.
@nhserspartners @lucy.killick1 Can we request that the necessary message sets are assigned to ASID 200000000068?
Regards,
Adam.
@jon.goody Apologies about this. I’ve submitted the request to get the e-RS permissions added to your ASID and will let you know as soon as this is done.
Kind regards,
Lucy
1 Like
@lucy.killick1 please can you advise when the e-RS permissions will be added to our ASID (200000000068)
Kind regards
Nadia
Hi @Nadia_Mohammed and @jon.goody - I’ve been speaking with our ITOC team who have advised that you seem to have an ASID set up with your own bespoke product on it (TrakCare Maternity) - this has no e-RS FHIR API interactions but has other interactions on for PDS and HL7 e-RS messages. I’m told, you have three options, you can either 1) update your existing product with the e-RS FHIR API interactions; or 2) we can replace your existing product with the latest generic e-RS FHIR API product. If you choose this option, your existing interactions will be removed and will no longer work (PDS and e-RS HL7); or 3) you create a new Application and we create a new ASID for you with just the e-RS FHIR API messages on it (which would be cleaner).
For your information, in production when you go live with the e-RS FHIR API, you will need to have separate Apps/ ASIDs per site and cannot share with certain other NHSE products, as per this guidance: https://digital.nhs.uk/services/e-referral-service/api/integration-process/security-and-authorisation#1-accredited-system-identifiers
Can you please let me know your preference?
Hello @lucy.killick1
Please can you update our existing product (TrakCare Maternity) with e-RS FHIR API interactions - Option 1.
Thank you
Kind regards
Nadia
Morning @Nadia_Mohammed and @jon.goody - just letting you know that has now been updated. Please let us know if you have any more issues
hi @lucy.killick1
We have retested the issue, continue to get errors.
Here is the ID
X-Corrolate-ID: 080C3226-0A60-11F0-A050-005056B4EE83
{“meta”:{“profile”:[“[https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"]},“resourceType”:“OperationOutcome”,“issue”:[{“severity”:“error”,“code”:“forbidden”,“details”:{“coding”:[{“code”:“FORBIDDEN”,“system”:“https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1”,“display”:“Forbidden”}]},“diagnostics”:"On](https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"]%7D,%22resourceType%22:%22OperationOutcome%22,%22issue%22:[%7B%22severity%22:%22error%22,%22code%22:%22forbidden%22,%22details%22:%7B%22coding%22:[%7B%22code%22:%22FORBIDDEN%22,%22system%22:%22https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1%22,%22display%22:%22Forbidden%22%7D]%7D,%22diagnostics%22:%22On) Behalf Of User ID (555267527104) provided is invalid or not in the list of allowed OBO Users.”}]}
Please can you confirm the message set was updated in INT for our product TrakCare Maternity.
Hi Nadia - it looks as though the error message is saying you are trying to carry out an action ‘on behalf of’ a user that is not allowed to do that, or the user (555267527104) does not have the required business function at the organisation you are trying to access.
Hi Nadia,
To add to Lucy’s response above…
It seems you are now seeing the previous issue again as discussed here.
It is only after user authentication that the system authentication is performed, this is the step that required us to add the permissions to your ASID.
You therefore need to re-check your user setup/configuration. You can use Retrieve “on-behalf-of” practitioner user information (A040, FHIR R4) to check the on behalf of user is valid.
Regards,
Adam.
1 Like
This is now working and we can access documents from referrals. Issue related to incorrect UUID being sent along with business function.
If UUID for logged on user is the same as clinic care provider UUID then don’t send OBO UUID. Ensure business function is set to SERVICE_PROVIDER_CLINICIAN.
If UUID is different then ensure business function is set to SERVICE_PROVIDER_CLINICIAN_ADMIN.
After the message sets were applied the rules above then started to work.
2 Likes
Thanks for confirming Jon. Pleased to hear you are up and running now.
1 Like
