Robert Jones

> @robertjustjones Please confirm If you are passing the authorization headers correctly and the client_id is still being required. If so, that would be a bug in our implementation (really...

So here's the [spec](https://hl7.org/fhir/smart-app-launch/app-launch.html#request-7) on refresh_token requests for public apps.  And here's the [example](https://hl7.org/fhir/smart-app-launch/example-app-launch-public.html#refresh-access-token) linked below that. ![Screenshot 2024-01-24 at 11 39 46 ...

Thanks for those. So I've reworked to use a Public client_id for the auth that I'm doing. I'm still able to get a refresh_token and, if I modify the request...

So here's League\OAuth2's [doc](https://oauth2.thephpleague.com/authorization-server/refresh-token-grant/)  And here's the OAuth2 [spec](https://datatracker.ietf.org/doc/html/rfc6749#page-47)  So the League lib implements client_id as...

Updating the team, I'm pursuing a "custom" refresh function in my smart code derived from [here](https://github.com/smart-on-fhir/client-js/blob/8f64b770dbcd0abd30646e239cd446dfa4d831f6/src/Client.ts#L1021) in the [reference client](https://github.com/smart-on-fhir/client-js) that adds the client_id for refresh_token request. That solves my...

Try this hack to avoid that line. ``` STORAGE_S3_ENDPOINT=https://s3.amazonaws.com ```

I guess we could scope it? My use case is that I'm authenticating a user (Admin, non-NPI), but I cannot look-up who that user is without the Practitioner change.

@sjpadgett I forgot this, but it turns out these users are already available through the FHIR Person resource so this isn't increasing data exposure, just relocating it.

@adunsulag I missed running the tests and seeing the post/patch errors. So now a decision on how to go forward... how/where to implement adding FHIR Practitioners without NPI numbers? We...

I compromised here to avoid the decision above. I changed my PR to reference all users for the GET, but not for PATCH/POST. So non-NPI "users" cannot be added or...