Issues with Epic Bulk Data Request - 401 Error

Question

I'm implementing a FHIR integration in Python to pull data from Epic's sandbox environment. I wanted to see if anyone else has attempted this, or has had any issues with token authentication when doing the kick-off request.

Some notable information on my build/progress:

I'm using https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token to get the token
The JWT passed back is valid and signed
Per Epic's bulk export specification, I'm using https://apporchard.epic.com/interconnect-aocurprd-oauth/api/FHIR/R4/Group/eIscQb2HmqkT.aPxBKDR1mIj3721CpVk1suC7rlu3yX83/$export as the endpoint to request data from.
To the above url, in my get request, I pass the following headers:

'Accept':'application/fhir+json',

'Content-type' : 'application/fhir+json', <- I've also tried removing this as it isn't explicitly stated to be passed

'Prefer':'respond-async',

'Authorization' : 'Bearer ' + token
I use a session to handle requests, and preserve the Authorization header by overriding NoRebuildAuthSession in requests.Session

The response from the get request comes back with a 401 error and the following information under www-authenticate: Bearer error="invalid_token", error_description="The access token provided is not valid"

Any guidance would be helpful! I think I might be using the wrong endpoint but I'm totally stumped right now.

class NoRebuildAuthSession(Session):
    def rebuild_auth(self, prepared_request, response):
        """
        No code here means requests will always preserve the 
        Authorization
        header when redirected.
        """

session = NoRebuildAuthSession()

logging.basicConfig(level=logging.DEBUG)

instance = jwt.JWT()
message = {
    # Client ID for non-production
    'iss': '<client-id>',
    'sub': '<client-id>',
    'aud': 'https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token',
    'jti': '<string of characters>',
    'iat': get_int_from_datetime(datetime.now(timezone.utc)),
    'exp': get_int_from_datetime(datetime.now(timezone.utc) + timedelta(minutes=1)),
}
# Load a RSA key from a PEM file.
with open('<private-key-path>', 'rb') as fh:
    signing_key = jwt.jwk_from_pem(fh.read())

compact_jws = instance.encode(message, signing_key, alg='RS384')
headers = CaseInsensitiveDict()
headers['Content-Type'] = 'application/x-www-form-urlencoded'

data = {
        'grant_type': 'client_credentials',
        'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
        'client_assertion': compact_jws
}

x = session.post('https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token', headers=headers, data=data)

responseDict = json.loads(x.text)
token = x.json()['access_token']
print(responseDict['access_token'])
headers = {
    'Accept':'application/fhir+json',
    'Content-type' : 'application/fhir+json',
    'Prefer':'respond-async',
    'Authorization' : 'Bearer ' + token
    }
session.headers = headers
base = "https://apporchard.epic.com/interconnect-aocurprd-oauth/api/FHIR/R4/Group/eIscQb2HmqkT.aPxBKDR1mIj3721CpVk1suC7rlu3yX83/$export"
y = session.get(base, headers = headers)
print(yaml.dump(y.headers, default_flow_style=False))
print(y.text)

Hi Welcome to SO! I spotted your question on the HL7 chat rooms at first. Suggest you copy/paste your code here. — Cargo23, Dec 09 '21 at 21:22
For sandbox issues, we prefer folks reach out to open@epic.com for troubleshooting help. — Cooper, Dec 10 '21 at 14:55

score 3 · Answer 1 · answered Dec 11 '21 at 01:29

As Cooper mentioned, your best resource is to contact Epic directly for troubleshooting assistance with their sandbox/APIs.

That said, glancing through your code, the URL does seem to be the issue. It seems like you're mimicking the Bulk FHIR tutorial from Epic, which may or may not be exactly reproducible in the sandbox.

Here, you're calling the Epic on FHIR endpoint to get the OAuth token: x = session.post('https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token', headers=headers, data=data)

However, you then proceed to make the actual Bulk FHIR calls using the App Orchard endpoint: base = "https://apporchard.epic.com/interconnect-aocurprd-oauth/api/FHIR/R4/Group/eIscQb2HmqkT.aPxBKDR1mIj3721CpVk1suC7rlu3yX83/$export"

This isn't correct. Assuming you are trying to use Epic on FHIR, the base URL to use is https://fhir.epic.com/interconnect-fhir-oauth, so that line should read something like base = "https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/Group/...".

Thank you! I did realize that as part of the problem, and was able to receive a token accepted response. I don't believe the Group ID Epic provides through documentation is valid for testing, so if anyone knows of a Group ID that does exist on the sandbox environment, that would be greatly appreciated. I've reached out to Epic with a similar request. — ultraub, Dec 11 '21 at 15:08
@ultraub I have the same request - did you ever get a Group ID for the sandbox? thanks — simj, Jul 28 '22 at 18:12
A group ID for the Epic on FHIR sandbox is available at https://fhir.epic.com/Documentation?docId=testpatients. — Ashavan, Jul 29 '22 at 19:10

Issues with Epic Bulk Data Request - 401 Error

1 Answers1