Developer sandbox

Access Token URL:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/token

Example using curl syntax:

curl -v -k -H "Content-Type: application/x-www-formurlencoded;charset=UTF-8" -d"grant_type=authorization_code&code=[Insert_Auth_Code]&redirect_uri=[Insert_Redirect_URL]&client_id=[Insert_Client_Id]&client_secret=[Insert_Client_Secret]&state=test" https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/token

State: An optional value that you may use in your app.

Response

{

 "access_token":

"eyJraWQiOiJ3QThGR3hrM3pWa1FrYU9qUW11aWxTTlJGUWp2bHNzaTJna",

 "patient": "2657",

 "scope": "clinical read openid profile",

 "id_token": "eyJraWQiOiJ3QThGR3hrM3pWa1FrYU9qU",

 "token_type": "bearer",

 "expires_in": 86399

}

The response will contain a “Patient ID” that needs to be used as a search criteria for API data requests.

Try this out in Postman:

With the access token, you can use Curl to make queries as follows:

curl --header "Authorization: Bearer YOUR TOKEN HERE"

https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/<FHIRPatientId>/$everything

NOTE: When a beneficiary is authorizing your application, they will not be presented the choice to select any scope. Only the app has the ability to choose what scope is required when making a request for the token.

Auth URL:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize

Client ID: AJMP7iHHEfegyn2PMzTj

Client Secret: OHBJ8Pl9I2ilDZ5gRY74

Access the authorization url at:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize/

Note: The last backslash is important. Also remember to append ?client_id={yourclient_id assigned to the application you registered}

Synthetic Beneficiary Accounts

Authorization

To use the Blue Cross NC OAuth 2, a developer must register their application.

A registered application is given a client ID and a client secret. The secret should only be used if it can be kept confidential, such as communication between your server and the Blue Cross NC API. Otherwise the Client Application Flow may be used.

NOTE: For sandbox environment, static clientId, clientSecret will be shared. This is registered by Blue Cross team internally with a static redirect URL and will need to be configured by the client in order to initiate authorization request.

Scopes

Access tokens have a scope, which defines what the access token can do and what resources it can access. For our purposes, scopes are primarily utilized to give beneficiaries more granular choice over what data they would like to share with applications. The Blue Cross NC API has implemented a default scope to restrict read & write access to only the clinical resources as defined by HL7:

Clinical/*.*

From the OpenID Connect specification we support:

profile

This gives access to the fhir/sb/R4/payer-to-payer/UserInfo Endpoint.

Our implementation gives apps the ability to choose OpenID scope. 

If the beneficiary declines to share information that your application needs to function, you may display a message explaining why that information is needed and request reauthorization or handle the collection of that information elsewhere within your application.

The default selection when a beneficiary reaches the authorization screen will be to share all data, including demographic data, with your application. If a beneficiary makes a selection as to whether or not they want to share demographic data with your application and later decides they want to change that selection, they’ll need to be taken through the authorization flow again to make a different choice from the OAuth screen.

Native Mobile App Support

Native Mobile App Support follows the RFC 8252 - OAuth 2.0 for Native Apps authentication flow utilizing the PKCE extension and enables a custom URI scheme redirect.

The implementation of the RFC 8252 specification enables developers to build mobile applications without requiring a proxy server to route redirect calls to their mobile app.

The PKCE extension provides a technique for public clients to mitigate the threat of a “man-in-the-middle” attack. This involves creating a secret that is used when exchanging the authorization code to obtain an access token.

PKCE uses a code challenge that is derived from a code-verifier. The standard supports two styles of code challenge:

• plain
• S256

Redirect_URI

When registering an Application, a redirect URI is required. This is the API endpoint on your system that receives the callback from the Blue Cross NC API after a beneficiary is passed to the Blue Cross NC API to authorize your application.

Web Application Flow

To use this flow, your application should be registered with Client Type set to confidential and Grant Type set to authorization-code.

Core Resources

Base Request URL:

https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-to-payer 

FHIR Resources:

• All Clinical resources as defined in DaVinci IG - http://hl7.org/fhir/us/davincipdex/toc.html
  Note : Patient/<FHIRID>/$everything is supported and will need to be used by clients to initiate data request and receive a bundle response. Individual FHIR resources are not supported. 

UserInfo:

• Get User Profile from an Authorization Token.

FHIR Resource Bundle

/fhir/sb/R4/payer-to-payer/Patient/2657/$everything

The above URL returns all of the beneficiary’s clinical records as an FHIR Resource Bundle.

curl --header "Authorization: Bearer AUTHORIZATION TOKEN"
"https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/2657/$everything"

That API call will return a bundle that contains many FHIR resources and is typically thousands of lines long.

{

 "resourceType": "Bundle",

 "id": "989f6d15-43e9-429f-97a5-93de5dc1e89b",

 "meta": {

 "lastUpdated": "2021-11-22T20:24:03.946-05:00"

 },

 "type": "searchset",

 "link": [

 {

 "relation": "self",

 "url": "https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/2657/$everything"

 }

 ],

 "entry": [

 {

 "fullUrl": "https://apiservicessbext.bcbsnc.com/fhir/sb/R4/payer-to-payer/Patient/2657",

 "resource": {

 "resourceType": "Patient",

 "id": "2657",

 "meta": {

 "versionId": "2",

 "lastUpdated": "2021-11-22T14:53:07.885-05:00",

 "source": "#PuvVum8uEowtNfhY",

 "profile": [

 "http://hl7.org/fhir/us/carinbb/StructureDefinition/C4BB-Patient",

 "http://hl7.org/fhir/us/core/StructureDefinition/uscore-patient"

 ]

 },

 "identifier": [

 {

 "type": {

 "coding": [

 {

 "system":

"http://terminology.hl7.org/CodeSystem/v2-0203",

 "code": "MB"

 }

 ]

 },

 "system":

"http://bluecrossnc.com/fhir/memberidentifier",

 "value": "J1269564601"

 }

 ],

 "name": [

 {

 "family": "BCNCLASTTHREE",

 "given": [

 "BCNCFIRSTTHREE"

 ]

 }

 ],

 "gender": "female",

 "birthDate": "1944-06-06",

 "address": [

 {

 "line": [

 "23 WESTERN ST"

 ],

 "city": "MOUNT AIRY",

 "state": "NC",

 "postalCode": "27030"

 }

 ]

 },

 "search": {

 "mode": "match"

 }

 },

 {

 "fullUrl": "https://apiservicessbext.bcbsnc.com/fhir/sb/R4/payer-to-payer/Provenance/4e44a0f0-e723-3f1b-a6dea3f5023630d0",

 "resource": {

 "resourceType": "Provenance",

 "id": "4e44a0f0-e723-3f1b-a6de-a3f5023630d0",

 "meta": {

 "versionId": "1",

 "lastUpdated": "2021-08-04T08:58:05.801-04:00",

 "source": "#sAN2NtgMboFqXbTd",

 "profile": [

 "http://hl7.org/fhir/us/core/StructureDefinition/uscore-provenance"

 ]

 },

 "target": [

 {

 "reference": "Patient/2657",

 "identifier": {

 "type": {

 "coding": [

 {

 "system":

"http://terminology.hl7.org/CodeSystem/v2-0203",

 "code": "MB"

 }

 ]

 },

 "value": "J1269564601"

 }

 },

 {

 "reference": "Condition/26efcfd2-acfb-31bb-b2feb48574ff188f"

 },

 {

 "reference": "Procedure/6dac3a0e-283b-3a37-a1aab98214efa5ef"

 }

 ],

 "recorded": "2018-10-10T00:00:00.000-04:00",

 "agent": [

 {

 "type": {

 "coding": [

 {

 "system":

"http://terminology.hl7.org/CodeSystem/provenance-participant-type",

 "code": "author"

 }

 ]

 },

 "who": {

 "reference": "Organization/BCBSNC"

 }

 }

 ]

 },

 "search": {

 "mode": "match"

 }

 }

 ... this is only a subset of the entire output ...

Get User Profile for an Authorization Token

HTTP GET /connect/userinfo

The UserInfo Endpoint is an OAuth 2.0 Protected Resource. The above URL fetches the fictitious beneficiary’s basic account information given an Authorization Token. This is most often used when creating an account within your application. An HTTP GET is called and the response is returned as JSON.

curl --header "Authorization: Bearer AUTHORIZATION TOKEN"

"https://apiservicessb-ext.bcbsnc.com/v1/connect/userinfo"

{

 "sub": "fflinstone",

 "prefered_username": "fflinstone",

 "given_name": "Fred",

 "family_name:, "Flinstone,

 "name": "Fred Flinstone",

 "email": "pebbles-daddy@example.com",

 "created": "2017-11-28",

 "patient": "123456789",

}