We are currently reevaluating our strategies around SMART claims token response and plan to terminate the return of 'User' claim.
In the SMART claim token we currently return both 'user' and open id token(id_token) for the purpose of retrieving information about the current logged-in user, the consumer should always use open id token instead of user for all types of SMART application launches.
Some History: We originally returned the 'user' before the open id token was available for all launch scenarios. However, that gap was closed some time ago and this data is now duplicative and a non-standard representation of data provided in a standard manner.
Example: The field 'user' marked below will not be returned after the update.
POST /token
"token": {
"need_patient_banner":true,
"id_token":"eyJraWQiOiIy...',
"smart_style_url":"https://smart.sandboxcerner.com/styles/smart-v1.json",
"active_ttl": 48293,
"token_type":"Bearer",
"access_token":"eyJraWQi...",
"refresh_token":"eyJpZCI6...",
"patient":"123456",
"scope":"launch online_access profile openid patient\/AllergyIntolerance.read ...",
"expires_in":570,
"user":"16128462",
"tenant":"0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca",
...
}
Resolution: Utilize the fhirUser(Highlighted below) from the id_token to determine the current user logged in. Here is a sample decoded id_token payload data.
PAYLOAD: {
"sub": "sampleuser",
"aud": "689d8ca4-ddc3-4f1a-a1fd-b0bc956daed2",
"profile": "https://fhir-ehr.sandboxcerner.com/r4/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/98765",
"iss": "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/",
"name": "Sample, User",
"exp": 1589918376,
"iat": 1589917776,
"fhirUser": "https://fhir-ehr.sandboxcerner.com/r4/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/98765"
}
Kindly let us know if there are applications currently in utilization that would break with this update so we can coordinate our timelines accordingly.
Thanks,
Cerner Engineering