Register client to Cerner with our system account

[divya korangi]

Hi,

How do we get a client registered to your API via our system account?

We have an app registered to Cerner API and we have a System account created to access data from Cerner. We have different clients using our app. So how do we register a client to both of our applications (our app we registered and Cerner API). By Following- Requesting Authorization on Behalf of a System under http://fhir.cerner.com/authorization/ , I see that to get authorization token we are passing a hard coded value under grant type which is ‘client_credentials’(grant_type=client_credentials). How do we send this request specific to a client using our system account?

Thanks,

Divya

[Jenni Syed (Cerner)]

Hi Divya,

Once your application works in sandbox, you would normally apply to the code program: https://code.cerner.com/en/submit

If you're developing something custom on behalf of a client, the client can request your app in their non-prod for testing. They need to have Ignite enabled for development/set up on their site.

~ Jenni

[divya korangi]

Hi Jenni,

Ours is a third party Integration app that pulls data for each of our clients. We are planning to use Cerner API to pull data for clients registered to Cerner using our integration. I am trying to understand how this process would work after applying our app to the code program.

Right now we have registered our app to Cerner and have a system account. Do we need anything additional to distinguish our clients also?

 

In our App, how do we Authorize for a specific client to get the access token that would give access to pull only client specific data from Cerner?

Right now we just pass on our system account id and secret and a hard coded grant type - client credentials to get the access token. Do we get any client specific credentials that we need to pass in the Authorization request?

Thanks,

Divya

[Jenni Syed (Cerner)]

Hi Divya,

Once you're part of the code program, we'll help you with the specific URLs the app will need for clients that decide to purchase your application. The id and secret will change for production, but not by client.

~ Jenni

[angela...@gmail.com]

Hi Jenni,

Maybe it would help if you had our entire use scenario, because we are still not understanding how this will work.  It seems like our use case is different from other vendors.  We will not be pulling data one patient at a time.  There is no user interface that the client will plug into.  There is nothing for a client to pay for or download.  We don't intend to install any software client-side.  

The way our other APIs have worked is that the client authorizes us to have access to their data.  We are provided with something (client credentials) that distinguishes that the data is specific to the client.  We key in those credentials into our integration configuration.  Then our integration hits the API with the vendor credentials as well as the client credentials to retrieve appointment data.  This integration will grab all appointment data daily for this client.  The integration will work for numerous clients, the only difference being the Cerner credentials for each client.  Sometimes those credentials are a username & password, sometimes those credentials are a refresh token specific to the client, sometimes those credentials are a URL specific to that client.

So that's the process we're trying to figure out right now.  How do we get the credentials?  Will Cerner provide those to us?  Will the client provide those to us? Is there some automated registration process, where the client logs into Cerner and grants access to us to send us a token?

Thank you,

Angela

[Jenni Syed (Cerner)]

Angela,

With access on behalf of a system ("B2B"), which is what the app uses now, there are no user credentials. Keep in mind that the production service may be rate limited - so it depends on how much data you're trying to grab/how often. The FHIR URL differentiates which provider the data comes from.

I can't speak to what the business side of this will be - I think those conversations happen as part of onboarding into the code program.

~ Jenni

[divya korangi]

Hi Jenni,

By 'behalf of a system doesn't use any user credentials', do mean the system account will have access to all the data? Do you recommend a different type of account for our use case scenario?

Can you please elaborate n this please - 'The FHIR URL differentiates which provider the data comes from.' Are you referring to the practitioner id passed as a parameter ?

And there were no conversations as part of on boarding to the code program. We just signed up and received details of the system account registered to our app.

~Divya

[Jenni Syed (Cerner)]

Divya,

 

By 'behalf of a system doesn't use any user credentials', do mean the system account will have access to all the data? Do you recommend a different type of account for our use case scenario?

The system account will have access to all the data in the tenant. If you have no interactive user, there is no other option for your application to integrate with besides the access on behalf of the system. 

With OAuth, the application should never have visibility to the user's credentials (and the site could choose to use 2 factor or other authentication mechanisms that do not use user/pass).

 

Can you please elaborate n this please - 'The FHIR URL differentiates which provider the data comes from.' Are you referring to the practitioner id passed as a parameter ?

By provider, I mean the hospital or clinical system that owns the data. Not a user or practitioner.

 

And there were no conversations as part of on boarding to the code program. We just signed up and received details of the system account registered to our app.

It sounds like you have applied, but have not completed the process to fully join yet. I believe the confirmation email mentioned some review processes and that you would hear back at a later date. I encourage you to check out the FAQs that the form links to in order to: https://code.cerner.com/faqs

The FAQ above covers how long it will take once you hear back about your application, some of the effort involved, and a bit about the business side of the process

~ Jenni

[divya korangi]

Is there any documentation/ examples available on how to use 2 factor or other authentication mechanisms using system account for Cerner API? Can you please share?

Is there an example of the 'The FHIR URL' that differentiates which provider the data comes from in the documentation? Can you please share the links?

~Divya

[Jenni Syed (Cerner)]

Divya,

The application itself does not do anything to authenticate users when using OAuth - that is the purpose of OAuth, to help consumers be more secure and not pass credentials through 3rd parties. Your application only authenticates itself using the client id and secret it was given during registration.

An example of FHIR links is given here: http://fhir.cerner.com/millennium/dstu2/#resource-identity The GUID that changes in the URL identifies different provider systems. 

You will be given links to systems once your application is in the program and a client approves your application to access their environment (for non-patient applications). Without that process, the FHIR and OAuth server would reject your credentials to environments other than our public sandbox.

~ Jenni

[divya korangi]

Is the system account feature available in production? 

--
You received this message because you are subscribed to a topic in the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cerner-fhir-developers/I9LjPDQ7Xm4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cerner-fhir-developers+unsub...@googlegroups.com.
To post to this group, send email to cerner-fhir-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/49c50118-4d2c-4cdb-a970-67fc98f5c7b5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Regards,

Divya

[divya korangi]

Thank you for the information. We currently have a system account registered for the sandbox. 

Can we register a system account for a production instance currently? Is Requesting Authorization on Behalf of a System available for the production instance?

Thanks,

Divya

[Jenni Syed (Cerner)]

Divya,

For "system to system" applications, you cannot go to production without going through validation and being part of our code developer program. Also, as mentioned in the documentation, system to system access isn't currently available broadly.

Regards,

~ Jenni

[divya korangi]

Hi,

Wanted to check if there are any updates on this as of today - We currently have a system account registered for the sandbox. 

Can we register a system account for a production instance currently? Is Requesting Authorization on Behalf of a System available for the production instance?

Thanks,

Divya

[Jenni Syed (Cerner)]

Divya,

For all applications that are provider or system facing, you should apply for the code program and will need to go through validation before being able to move forward to production. System accounts are still not widely available in production, but that is a discussion that would occur as part of the code program evaluation.

Regards,

Jenni