Just curious about various methods to authenticate with FHIR through various EMR vendors. I have sandbox accounts with AthenaHealth, eClinicalWorks and EPIC. I’ve had some success with Athenahealth using BasicAuthentication with a clientID/Secret to retrieve a token, and then the token can be used to make subsequent requests with proper authorization for the various scopes.

The Python function for that is like below where TOKEN_URL=’/oauth2/v1/token’

def get_access_token():
    response = requests.post(
        TOKEN_URL,
        auth=HTTPBasicAuth(CLIENT_ID, CLIENT_SECRET),
        headers={'Content-Type': 'application/x-www-form-urlencoded'},
        data={
        'grant_type': 'client_credentials',
        'scope': '....'
        }
    )
    response.raise_for_status()
    return response.json()['access_token']

There is also a probably more commonly used OAuth method which is a bit more difficult to implement. My application is a backend app and not even necessarily patient or provider facing, so I would prefer using the above method, but I have thus far been unable to get it to work in the ECW sandbox.

I did try something like this, but I get a 401 error usually:

def get_access_token():
    response = requests.post(
        AUTH_URL,
        headers={'Content-Type': 'application/x-www-form-urlencoded'},
        data={
            'response_type':'code',
            'client_id': '...',
            'redirect_uri':'...',
            'launch':'...',
            'scope': 'patient/Patient.read',
            'state':'12',
            'aud':'https://fhir4.healow.com/fhir/r4/xxxxxx',
            'code_challenge':'...',
            'code_challenge_method':'S256'
        }
    )
    response.raise_for_status()
    return response.json()['access_token']

Their documentation is not bad, and here are some of the highlights:

ECW API documentation

They do state:

Symmetric (Client Secret) Authentication

“Symmetric Authentication authenticates a client using a secret that has been pre-shared between the client and the vendor authorization server. The client authenticates its requests by supplying an authorization header with HTTP basic authentication, where the username is the app’s client_id and the password is the app’s client_secret”

but the python code and variants do not seem to work.

They give an example of how to request an authorization code:

https://{ehr_authorize_url}?response_type=code&client_id=sXuHfoq0ykKSA1HlwI&redirect_uri=https://inferno.healthit.gov/suites/custom/smart/redirect&scope=openid+fhirUser+offline_access+user/Encounter.read+user/Patient.read&state=270579bc-853c-4ed8-a7f4-c8957519b222&aud=https://{fhir_base_url}&code_challenge=NBSSe6w_ABTFmOl0dBC_1dmuYtRJpARHcJAVithSOsA&code_challenge_method=S256

But that also doesn’t work yet. That is somewhat documented here:
SMART App Launch Framework Another problem is that ECW and ‘healow’ appear to have 2 sites to service their customers. e.g. https://fhir.eclinicalworks.com/ecwopendev/documentation#

and FHIR also has detailed documentation: FHIR documentation

Any pointers or suggestion appreciated. The Athena Sandbox works fine after the authentication issue is solved.