Register client to Cerner with our system account

484 views
Skip to first unread message

divya korangi

unread,
Dec 6, 2017, 5:24:57 PM12/6/17
to Cerner FHIR Developers


Hi,

How do we get a client registered to your API via our system account?

We have an app registered to Cerner API and we have a System account created to access data from Cerner. We have different clients using our app. So how do we register a client to both of our applications (our app we registered and Cerner API). By Following- Requesting Authorization on Behalf of a System under http://fhir.cerner.com/authorization/ , I see that to get authorization token we are passing a hard coded value under grant type which is ‘client_credentials’(grant_type=client_credentials). How do we send this request specific to a client using our system account?


Thanks,

Divya

Jenni Syed (Cerner)

unread,
Dec 8, 2017, 1:43:27 PM12/8/17
to Cerner FHIR Developers
Hi Divya,

Once your application works in sandbox, you would normally apply to the code program: https://code.cerner.com/en/submit

If you're developing something custom on behalf of a client, the client can request your app in their non-prod for testing. They need to have Ignite enabled for development/set up on their site.

~ Jenni

divya korangi

unread,
Dec 11, 2017, 11:18:46 AM12/11/17
to Cerner FHIR Developers

Hi Jenni,

Ours is a third party Integration app that pulls data for each of our clients. We are planning to use Cerner API to pull data for clients registered to Cerner using our integration. I am trying to understand how this process would work after applying our app to the code program.

Right now we have registered our app to Cerner and have a system account. Do we need anything additional to distinguish our clients also?
 
In our App, how do we Authorize for a specific client to get the access token that would give access to pull only client specific data from Cerner?

Right now we just pass on our system account id and secret and a hard coded grant type - client credentials to get the access token. Do we get any client specific credentials that we need to pass in the Authorization request?

Thanks,
Divya

Jenni Syed (Cerner)

unread,
Dec 12, 2017, 10:22:52 AM12/12/17
to Cerner FHIR Developers
Hi Divya,

Once you're part of the code program, we'll help you with the specific URLs the app will need for clients that decide to purchase your application. The id and secret will change for production, but not by client.

~ Jenni

angela...@gmail.com

unread,
Dec 12, 2017, 12:29:21 PM12/12/17
to Cerner FHIR Developers
Hi Jenni,

Maybe it would help if you had our entire use scenario, because we are still not understanding how this will work.  It seems like our use case is different from other vendors.  We will not be pulling data one patient at a time.  There is no user interface that the client will plug into.  There is nothing for a client to pay for or download.  We don't intend to install any software client-side.  

The way our other APIs have worked is that the client authorizes us to have access to their data.  We are provided with something (client credentials) that distinguishes that the data is specific to the client.  We key in those credentials into our integration configuration.  Then our integration hits the API with the vendor credentials as well as the client credentials to retrieve appointment data.  This integration will grab all appointment data daily for this client.  The integration will work for numerous clients, the only difference being the Cerner credentials for each client.  Sometimes those credentials are a username & password, sometimes those credentials are a refresh token specific to the client, sometimes those credentials are a URL specific to that client.

So that's the process we're trying to figure out right now.  How do we get the credentials?  Will Cerner provide those to us?  Will the client provide those to us? Is there some automated registration process, where the client logs into Cerner and grants access to us to send us a token?


Thank you,
Angela

Jenni Syed (Cerner)

unread,
Dec 13, 2017, 11:56:36 AM12/13/17
to Cerner FHIR Developers
Angela,

With access on behalf of a system ("B2B"), which is what the app uses now, there are no user credentials. Keep in mind that the production service may be rate limited - so it depends on how much data you're trying to grab/how often. The FHIR URL differentiates which provider the data comes from.

I can't speak to what the business side of this will be - I think those conversations happen as part of onboarding into the code program.

~ Jenni

divya korangi

unread,
Dec 14, 2017, 10:37:30 AM12/14/17
to Cerner FHIR Developers
Hi Jenni,

By 'behalf of a system doesn't use any user credentials', do mean the system account will have access to all the data? Do you recommend a different type of account for our use case scenario?

Can you please elaborate n this please - 'The FHIR URL differentiates which provider the data comes from.' Are you referring to the practitioner id passed as a parameter ?

And there were no conversations as part of on boarding to the code program. We just signed up and received details of the system account registered to our app.

~Divya

Jenni Syed (Cerner)

unread,
Dec 14, 2017, 12:52:29 PM12/14/17
to Cerner FHIR Developers
Divya,
 
By 'behalf of a system doesn't use any user credentials', do mean the system account will have access to all the data? Do you recommend a different type of account for our use case scenario?


The system account will have access to all the data in the tenant. If you have no interactive user, there is no other option for your application to integrate with besides the access on behalf of the system. 

With OAuth, the application should never have visibility to the user's credentials (and the site could choose to use 2 factor or other authentication mechanisms that do not use user/pass).
 
Can you please elaborate n this please - 'The FHIR URL differentiates which provider the data comes from.' Are you referring to the practitioner id passed as a parameter ?


By provider, I mean the hospital or clinical system that owns the data. Not a user or practitioner.
 
And there were no conversations as part of on boarding to the code program. We just signed up and received details of the system account registered to our app.

It sounds like you have applied, but have not completed the process to fully join yet. I believe the confirmation email mentioned some review processes and that you would hear back at a later date. I encourage you to check out the FAQs that the form links to in order to: https://code.cerner.com/faqs

The FAQ above covers how long it will take once you hear back about your application, some of the effort involved, and a bit about the business side of the process

~ Jenni

divya korangi

unread,
Dec 14, 2017, 5:24:03 PM12/14/17
to Cerner FHIR Developers
Is there any documentation/ examples available on how to use 2 factor or other authentication mechanisms using system account for Cerner API? Can you please share?

Is there an example of the 'The FHIR URL' that differentiates which provider the data comes from in the documentation? Can you please share the links?

~Divya

Jenni Syed (Cerner)

unread,
Dec 15, 2017, 4:01:23 PM12/15/17
to Cerner FHIR Developers
Divya,

The application itself does not do anything to authenticate users when using OAuth - that is the purpose of OAuth, to help consumers be more secure and not pass credentials through 3rd parties. Your application only authenticates itself using the client id and secret it was given during registration.

An example of FHIR links is given here: http://fhir.cerner.com/millennium/dstu2/#resource-identity The GUID that changes in the URL identifies different provider systems. 

You will be given links to systems once your application is in the program and a client approves your application to access their environment (for non-patient applications). Without that process, the FHIR and OAuth server would reject your credentials to environments other than our public sandbox.

~ Jenni

divya korangi

unread,
Dec 18, 2017, 10:34:32 AM12/18/17
to cerner-fhir...@googlegroups.com
Is the system account feature available in production? 


--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/I9LjPDQ7Xm4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-developers+unsub...@googlegroups.com.
To post to this group, send email to cerner-fhir-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/49c50118-4d2c-4cdb-a970-67fc98f5c7b5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Regards,
Divya

divya korangi

unread,
Jan 4, 2018, 1:04:25 PM1/4/18
to Cerner FHIR Developers
Thank you for the information. We currently have a system account registered for the sandbox. 

Can we register a system account for a production instance currently? Is Requesting Authorization on Behalf of a System available for the production instance?

Thanks,
Divya

Jenni Syed (Cerner)

unread,
Jan 8, 2018, 3:10:31 PM1/8/18
to Cerner FHIR Developers
Divya,

For "system to system" applications, you cannot go to production without going through validation and being part of our code developer program. Also, as mentioned in the documentation, system to system access isn't currently available broadly.

Regards,
~ Jenni

divya korangi

unread,
Jul 24, 2018, 9:41:42 AM7/24/18
to Cerner FHIR Developers
Hi,

Wanted to check if there are any updates on this as of today - We currently have a system account registered for the sandbox. 

Can we register a system account for a production instance currently? Is Requesting Authorization on Behalf of a System available for the production instance?

Thanks,
Divya

Jenni Syed (Cerner)

unread,
Jul 24, 2018, 1:18:22 PM7/24/18
to Cerner FHIR Developers
Divya,

For all applications that are provider or system facing, you should apply for the code program and will need to go through validation before being able to move forward to production. System accounts are still not widely available in production, but that is a discussion that would occur as part of the code program evaluation.

Regards,
Jenni

Reply all
Reply to author
Forward
0 new messages