SMART claims token response - 'User' claim removal

[Cerner FHIR Developers]

We are currently reevaluating our strategies around SMART claims token response and plan to terminate the return of 'User' claim. 

In the SMART claim token we currently return both 'user' and open id token(id_token) for the purpose of retrieving information about the current logged-in user, the consumer should always use open id token instead of user for all types of SMART application launches.

 

Some History: We originally returned the 'user' before the open id token was available for all launch scenarios. However, that gap was closed some time ago and this data is now duplicative and a non-standard representation of data provided in a standard manner.

 

Example: The field 'user' marked below will not be returned after the update.

POST /token
 
"token": {
 "need_patient_banner":true,
  "id_token":"eyJraWQiOiIy...',
  "smart_style_url":"https://smart.sandboxcerner.com/styles/smart-v1.json",
  "active_ttl": 48293,
  "token_type":"Bearer",
  "access_token":"eyJraWQi...",
  "refresh_token":"eyJpZCI6...",
  "patient":"123456",
  "scope":"launch online_access profile openid patient\/AllergyIntolerance.read ...",
  "expires_in":570,
  "user":"16128462",
  "tenant":"0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca",
  ...
}

Resolution: Utilize the fhirUser(Highlighted below) from the id_token to determine the current user logged in. Here is a sample decoded id_token payload data.

PAYLOAD: {

  "sub": "sampleuser",
  "aud": "689d8ca4-ddc3-4f1a-a1fd-b0bc956daed2",
  "profile": "https://fhir-ehr.sandboxcerner.com/r4/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/98765",
  "iss": "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/",
  "name": "Sample, User",
  "exp": 1589918376,
  "iat": 1589917776,
  "fhirUser": "https://fhir-ehr.sandboxcerner.com/r4/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/98765"

 }

 

Kindly let us know if there are applications currently in utilization that would break with this update so we can coordinate our timelines accordingly.

Thanks,
Cerner Engineering

[Tony J]

Hi,

We have a client-built provider app running in Production that utilizes the "username" (not "user") claim as part of its internal user authorization workflow.

Are there any plans to remove this particular claim from the access token response?

Thank you for your input.

[Cerner FHIR Developers]

The field we're referring to is user. However, it's worth noting that the "sub" in the id_token would also be the more standard way of getting the information you see in username. Both may vary and not be a true "username" depending on the underlying identity provider.

~ Regards

[Francisco Peña]

Hi, what is the timeline around this?

If it helps we currently use the "user" value in our application.

[lmi...@dosemehealth.com]

We currently are using the to-be-deprecated *user* field. What is the timeline for this changing making it into production?

[Matthew Beermann (Cerner)]

This change was implemented in our non-production environments on August 13th, and is currently scheduled to be implemented in our production environments on August 27th.

[Cerner FHIR Developers]

Hi,

Please be aware, if additional time is required for you to make a change to accomadate this, please let us know as soon as possible and we can adjust our schedule.

Thank you.