Is there an OAuth2 UserInfo endpoint in Cerner sandbox?

[Alex De Jong]

Does the Cerner sandbox support the OAuth2 userinfo similar to the Google API (https://oauthssodemo.appspot.com/step/4)?

We are looking to use the user information in our SMART app. The SMART app will call FHIR and non-FHIR resources, so the idea is to get a user context from OAuth2 that can be used by the non-FHIR resources.

Thanks,

Alex

[Jenni Syed]

Hi Alex,

We currently don't support the userinfo endpoint, and assume this type of information would be retrieved via the profile URL (pointing to a FHIR resource). We haven't exposed Practitioner yet for this purpose, but that is something we're working on rolling out.

~ Jenni

[Alex De Jong]

Is there any way in the interim to get a user context for the logged on user? We'd like to SSO into our REST APIs from the SMART app. I can map the Cerner issued user to an "API user identity" assuming there's some unique ID associated with the user that I can get, and validate it.

Thanks!

Alex

[Jenni Syed]

Alex,

Depending on what you're trying to do, the actual link to the Practitioner resource that's returned is unique per FHIR root URL that's passed to you during launch.

~ Jenni

[Alex De Jong]

Yes, I saw that info coming back and was planning to use that. I am looking for a server-side validation that this "userId" is actually associated with the logged-on user. I was planning to make a call to the Practitioner resource (with the OAuth2 token) to find "self" to see if I could match them up as a validation :-) 

I also noticed the authorization server maintains an active session which we might be able to query, but I could not find documentation on this (I noticed it in the OpenID/OAuth2 hand-shake). 

The use case is somewhat simple: start the SMART app with the user/patient context from the EMR, the app uses a combination of FHIR resources and REST endpoints provided with the SMART app. Both FHIR and the app's server endpoints need to be protected, so I was hoping to use the OAuth2 token to obtain the user context to validate/log the identity of the user before allowing access.

Let me know if this helps clarify the use case.

Alex

[Alex De Jong]

Here's what I ended up doing to get a validated user identity:

• Decode the OAuth2 JWT token
  
• Match the “iss” attribute with our app’s whitelist of “trusted” authorization servers
  
• Validate the token signature using the appropriate public key obtained from the keys URL (found via OIDC*)
  
• Get the “sub” and “tenant” attribute from the token
  
• The combination of sub/tenant is the unique user ID we map to our user identity
  

ThiThis way we can log based on a username that the user actually knows ;-)

Clearly having the OpenID UserInfo and/or Practitioner resources available would help to get additional information on who the user is, but the above steps at least establish SSO and our app has a (secure) validated user context to work with.

[kko...@gmail.com]

Hi Jenni, Is there any update on User Profile info? I think uniquely and correctly identifying the current user is critical in maintaining an audit trail in the apps. Thanks, _K

[Jenni Syed (Cerner)]

It is still planned/in process. 

[Ameer Zaffar Sulaiman]

Alex,

Just a quick follow-up and wondering if this approach has been working in meeting your requirements. We have to do something very similar and wanted to know if there were any additional gotchas to using this ideas.

Thanks

Ameer

[chris....@vincari.com]

Jenni,

Just wanted to reactivate this thread. Has support for UserInfo been added, or is it still in-process?

Regards,
Chris

[Jenni Syed (Cerner)]

Are you asking about UserInfo or Practitioner/the profile url? UserInfo wasn't in progress, though it's something we've looked at. SMART itself is trying to iron out details of what's required for this endpoint, so we'll be watching that discussion.

For Practitioner, we're running through validation right now, but if you read conformance for our sandbox, the resource is now there. We haven't published doc yet for this, so it's not fully validated and available yet. But you can try it out :)

~ Jenni

[Jenni Syed (Cerner)]

Practitioner is now live: https://groups.google.com/forum/#!topic/cerner-fhir-developers/28RJhfnGw-A

On Thursday, February 23, 2017 at 3:26:53 PM UTC-6, Jenni Syed (Cerner) wrote:

[Mark Gidman]

Matt Randall from Cerner has a very good walkthrough/demo of this process on GitHub

https://github.com/whitehatguy/smart-authorization-lab

See Lab 6: OpenID

It walks you through the process of validating the id_token.  This lets you extend Cerner's SSO process into your own system in a way that makes sure the user was actually authenticated by Cerner and the JWT was not spoofed.