How do you get the Cerner username?

[Steve Clark]

After the SMART app is authenticated in the Cerner PowerChart environment, how do you get the Cerner username (i.e. the username which the user used to log into PowerChart)?

[Jenni Syed (Cerner)]

Hi Steve,

Do you need the actual username? Or just an identifier and/or name of the person logged in?

The openid and profile scopes would trigger the Authorization server to pass back an id_token with the Practitioner link for the logged in user. See also: https://groups.google.com/d/msg/cerner-fhir-developers/KW0qplRk1No/bDUDw7XcEAAJ

~ Jenni

[Steve Clark]

Yes, we need the actual Cerner username - the one the user uses to log into PowerChart and other Cerner apps. Can we get this?

[Steve Clark]

Please answer the following:

1) Is there any way to obtain the Cerner username (i.e. the username used by the user to sign into PowerChart and other Cerner apps)?

2) The link to the Practitioner is returned in smart.client_id (e.g. https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007). So, when I attempt to execute smart.user.read(), it breaks. Should the link be returned in client_id, or should this just be the ID by itself (i.e. 4464007)?

3) The link to the Practitioner returns:

{
  "resourceType": "Practitioner",
  "id": "4464007",
  "meta": {
  "versionId": "1",
    "lastUpdated": "2017-01-26T16:02:19.000-06:00"
},
  "text": {
  "status": "generated",
    "div": "<div><p><b>Practitioner</b></p><p><b>Name</b>: Portal, Portal</p><p><b>Status</b>: Active</p></div>"
},
  "active": true,
  "name": {
  "use": "usual",
    "text": "Portal, Portal",
    "family": [
    "Portal"
  ],
    "given": [
    "Portal"
  ],
    "period": {
    "start": "2016-08-23T14:09:16.000-05:00"
  }
}
}

I do not see any type of unique user identification other than the ID itself (i.e. 4464007). Is this the expected result?

Thank you.

[Jenni Syed (Cerner)]

Steve,

For 1 - we have some additional questions/discussion ongoing. Expect another post with questions regarding this :)

2: The URL you're referring to is the Profile URL. It's defined to be the FHIR URL to the resource, not just the id: http://docs.smarthealthit.org/authorization/scopes-and-launch-context/#scopes-for-requesting-identity-data (and I assume you're referring to the id_token contents, not the client_id)

3: Per the FHIR standard, that fully qualified URL is what is guaranteed to be unique. Within the specific FHIR server/Practitioner resource combination, that id is considered unique.

~ Jenni

[Matt Randall (Cerner)]

There is not a guaranteed mechanism for retrieving an individual's username, however it is possible to obtain the user's local principal, identified as the "sub" value in the id_token returned in the authorization response when requesting the scope of "openid".  Generally speaking, this principal will match the Millennium username - it's possible in the future that as Cerner adds authentication features that this could be some other form of federated identifier, such as a user principal name or other identifier being sent by an external authentication system.  Would you be able to elaborate a bit more on your use case (persistence requirements for the identifier, etc.)?

I'll have to defer the question on the Practitioner resource to my other colleagues, but as far as I'm aware, the id of the record is the only unique identifier for an individual - it corresponds to the internal Millennium personnel identifier.

[Steve Clark]

Jenni,

For #2 - I am saying that when I do this in JavaScript: "function onReady(smart)  { ... ", the smart object that is returned looks like this:

api: Object
authenticated: function (p)
fetchBinary: function (path)
get: function (p)
getBinary: function (url)
patient: Object
server: Object
state: Object
tokenResponse: Object
user: Object
userId: "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"

It seems that userId should not be a link, but should instead be the user's ID (in this case, 4464007).

When I attempt to do a "smart.patient.read()", it blows up. I am wondering if this is because the user ID should be an ID and not a link?

Thank you.

[Jenni Syed (Cerner)]

I'm not intimately familiar with the library you're using, but I would not expect patient.read to read the user. We also don't pass back a field called "userid" set to the value referenced above (or, we shouldn't be). I assume that's a variable defined by the library. 

What error do you get? Is there a Correlation id or X-Request-Id so we could dig into cause?

~ Jenni

[Steve Clark]

Thank you for your reply! The use case - we need to interface with an outside organization who requires the user's Cerner username. I wanted to clarify what you said - "as far as I'm aware, the id of the record is the only unique identifier for an individual - it corresponds to the internal Millennium personnel identifier". Are you saying that the ID in the Practitioner resource (in my example, 4464007) is that same as the PERSON_ID in Cerner's Oracle PRSNL table? Thank you.

[Jenni Syed (Cerner)]

It does currently, but that id is supposed to be opaque per FHIR, and we could change the pattern in the future. Between the two options, you're likely better off with using the sub OR: There's also a "username" claim that comes back in the SMART context (non-standard) that could be used. If we ever changed that, we would need to reach out to all developers. Of the options, this one is actually named/intended to be username.

[Kol Kheang (Cerner)]

Hi Steve,

You can retrieve the username from the token response claim section of the OAuth2 response.

In the function onReady(smart) {

...

var obj = {};

// retrieve username

obj.username = smart.tokenResponse.username;

..

}

Thanks,

Kol