Hi,
I'm having a simular issue.
I just now registered a separate App and requested and new account with Provider scope next to the System scope.
We're looking into using OpenID to authenticate the users, hoping we can get the related Practitioner resource from that.
Maybe that's a solution for you as well if you already have authentication support?
The scope ‘profile’ will additionally request that the OpenID Connect token include the claim “profileURL”, as defined by the SMART® on FHIR® authorization framework. This URL identifies the specific FHIR® resource URL of the authenticated user.
So, then at least we can fetch the Practitioner after authentication and use it later as the author of the DocumentReference when we create the DocRef using the System scope account. (or we could use the offline access mechanism method)
If we would be able to search for a Practitioner using some attributes the user actually knows (like email, or Identifiers), that would simplify a lot.
That's the direction I'm looking into right now ... don't know if this is helpful for you.
Kind regards,
Kristof.