SMART claims token response - 'User' claim removal

405 views
Skip to first unread message

Cerner FHIR Developers

unread,
May 28, 2020, 2:13:13 PM5/28/20
to Cerner FHIR Developers

We are currently reevaluating our strategies around SMART claims token response and plan to terminate the return of 'User' claim. 

In the SMART claim token we currently return both 'user' and open id token(id_token) for the purpose of retrieving information about the current logged-in user, the consumer should always use open id token instead of user for all types of SMART application launches.

 

Some History: We originally returned the 'user' before the open id token was available for all launch scenarios. However, that gap was closed some time ago and this data is now duplicative and a non-standard representation of data provided in a standard manner.

 

Example: The field 'user' marked below will not be returned after the update.

POST /token
 
"token": {
 
"need_patient_banner":true,
 
"id_token":"eyJraWQiOiIy...',
 
"smart_style_url":"https://smart.sandboxcerner.com/styles/smart-v1.json",
 
"active_ttl": 48293,
 
"token_type":"Bearer",
 
"access_token":"eyJraWQi...",
 
"refresh_token":"eyJpZCI6...",
 
"patient":"123456",
 
"scope":"launch online_access profile openid patient\/AllergyIntolerance.read ...",
 
"expires_in":570,
 
"user":"16128462",
 
"tenant":"0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca",
 
...
}


Resolution: Utilize the fhirUser(Highlighted below) from the id_token to determine the current user logged in. Here is a sample decoded id_token payload data.


 

Kindly let us know if there are applications currently in utilization that would break with this update so we can coordinate our timelines accordingly.

Thanks,
Cerner Engineering

Tony J

unread,
Jun 4, 2020, 12:09:04 AM6/4/20
to Cerner FHIR Developers
Hi,

We have a client-built provider app running in Production that utilizes the "username" (not "user") claim as part of its internal user authorization workflow.

Are there any plans to remove this particular claim from the access token response?

Thank you for your input.

Cerner FHIR Developers

unread,
Jun 4, 2020, 10:13:27 AM6/4/20
to Cerner FHIR Developers
The field we're referring to is user. However, it's worth noting that the "sub" in the id_token would also be the more standard way of getting the information you see in username. Both may vary and not be a true "username" depending on the underlying identity provider.

~ Regards

Francisco Peña

unread,
Aug 19, 2020, 5:04:04 PM8/19/20
to Cerner FHIR Developers
Hi, what is the timeline around this?

If it helps we currently use the "user" value in our application.


lmi...@dosemehealth.com

unread,
Aug 23, 2020, 7:44:37 PM8/23/20
to Cerner FHIR Developers
We currently are using the to-be-deprecated *user* field. What is the timeline for this changing making it into production?

Matthew Beermann (Cerner)

unread,
Aug 25, 2020, 4:37:19 PM8/25/20
to Cerner FHIR Developers
This change was implemented in our non-production environments on August 13th, and is currently scheduled to be implemented in our production environments on August 27th.

Cerner FHIR Developers

unread,
Aug 25, 2020, 5:02:21 PM8/25/20
to Cerner FHIR Developers
Hi,

Please be aware, if additional time is required for you to make a change to accomadate this, please let us know as soon as possible and we can adjust our schedule.

Thank you.
Reply all
Reply to author
Forward
0 new messages