How to get current logged in user details inside my smart app?

[akshaya parimaladevi]

If this is a question about an error or issue you are seeing, please fill out the following fields:

• Issue Summary: (include links to documentation, and describe what you've tried so far. Do NOT include request or response bodies unless this is from our public sandbox)I have an application which is launched successfully but i want to get the logged in users info like namr or email is inside my smartapp.
• X-Request-Id or CorrelationId: (from Response or Error Message)

[Michele Mottini]

Add the 'openid profile' scopes, you will get back an id_token with the user info. See https://fhir.cerner.com/authorization/ and the openid specs

  - Michele

  CareEvolution Inc

[akshaya parimaladevi]

Can you explain that with an example? Because i need Profile value for authentication validation.

Thanks,

Akshaya A

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/CAMK4NFO%3DRyRnQZ9XYbQ0JODnqROwHJNH2y4_0ZU6qLzxKrEoUw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Kol Kheang (Cerner)]

Hi Akshaya,

I searched and found multiple posts that were answered previously related to username:

- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/cerner-fhir-developers/logged$20in$20user|sort:date/cerner-fhir-developers/U-4I1KSDrq4/bC-llJK-BwAJ

- https://groups.google.com/forum/#!msg/cerner-fhir-developers/T-QegfjizYs/rWe_RGUTDQAJ

- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/cerner-fhir-developers/logged$20in$20user|sort:date/cerner-fhir-developers/pScQXXAAJf4/fglhhOqJAgAJ

- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/cerner-fhir-developers/logged$20in$20user|sort:date/cerner-fhir-developers/0LIK-2Af-5s/-D_4tmiiBgAJ

Please take a look at the posts above for way to get details on the logged in user.

Thanks,

Kol

[akshaya parimaladevi]

How to get the complete profile details?

[akshaya parimaladevi]

but 

How to get the complete profile details?

[Jenni Syed (Cerner)]

Can you clarify? What specific details are you looking for about the user?

Thanks

Jenni

[akshaya parimaladevi]

Like email id or their profile details.

> --
> You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
> To post to this group, send email to cerner-fhir...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/6eabd2c0-dcfb-46fb-b69f-1623abbf96c5%40googlegroups.com.

[Jenni Syed (Cerner)]

Akshaya,

From the previous examples that Kol listed, especially: https://groups.google.com/d/msg/cerner-fhir-developers/T-QegfjizYs/osxwbzEbDQAJ (and the conversation around it), what specific questions do you have/where are you having issues right now? Is your application requesting and authorized for the scopes listed (openid profile user/Practitioner.read)? Is the app unable to read the id_token? Is the app having issues calling the Practitioner URL returned to read Practitioner details (you can see what is returned from that resource in our documentation as well)?

The "profile details" can be seen in that conversation, which also calls out the possible need to read Practitioner for further details (assuming the practitioner is the one signed into the app).

~ Jenni

[akshaya parimaladevi]

I am not able to read the practitioner details.I tried it.

[Tobin Chew]

 What are the request that failed details (url, headers, method, any body) and what are the response objects that have succeeded so far in the application's lifecycle?

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/e2ddc933-75c7-40d4-9039-b3ff1ebea26f%40googlegroups.com.

[akshaya parimaladevi]

while reading the id token i get the details below :

{

  "sub": "portal",

  "aud": "e34e88d7-e646-4688-bbfa-7a8ad310aa6b",

  "profile": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007",

  "iss": "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/",

  "name": "Portal, Portal",

  "exp": 1530009088,

  "iat": 1530008488,

  "fhirUser": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"

}
using jwt i easily decoded the id token and get the above details.I specified the scope of email,user/Practitioner.read these scope values are missing.And also how to decode the encoded id token response in js.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/CAHUwZ1Fw7_5kFSKXt1_Ez5qPNrcREOWK1V%2BuhPrZBOHe%2BfwzUA%40mail.gmail.com.

[Michele Mottini]

And also how to decode the encoded id token response in js.

https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript

  - Michele

  CareEvolution Inc

[Tobin Chew]

Have you tried decoding the access_token + going to the 
  "profile": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"

[Jenni Syed (Cerner)]

Akshaya,

Can you please provide the X-Request-Id header value returned in the response headers from the apps call to the Practitioner resource? We need this in order to help you troubleshoot.

Regards,

~ Jenni

[akshaya parimaladevi]

This is the response i got from id token :

{

  "sub": "portal",

  "aud": "e34e88d7-e646-4688-bbfa-7a8ad310aa6b",

  "profile": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007",

  "iss": "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/",

  "name": "Portal, Portal",

  "exp": 1530009088,

  "iat": 1530008488,

  "fhirUser": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"

}

Thanks,

Akshaya

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/1728ee02-e935-4627-ae91-d0f7ad223a46%40googlegroups.com.

[akshaya parimaladevi]

X-Request-Id : b90c1aa4a4f8ce135ee3d729bb88d9ef

[akshaya parimaladevi]

I tried it but it shows HTTP ERROR 401.

[Kol Kheang (Cerner)]

Hello Akshaya,

Based on the X-Request-Id above, the error happened due to calling the Practitioner resource without the Bearer token in the Authorization header.  The endpoint that you used is a protected endpoint that requires a valid token to access.  You can resolve this by adding "Authorization" header to the Postman request with a valid access token that your app received from the Authorization server.

If you are just testing and wanting to see what the response would be for the Practitioner resource, you can use our open endpoint, which does not require an access token.  See link:

https://fhir-open.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007

Thanks,

Kol

[akshaya parimaladevi]

Even though i added the access token along with it am not able to see any details it showing the same 401 error

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/84253031-63b9-4c45-8419-05083485754f%40googlegroups.com.

[akshaya arumugam]

I am using this script to get details of practitioner but still am not able to get the details.It again shows 401 unauthorized access

function getAllClients() {

           var authToken = {

               "access_token": "...",

               //"access_token": "...", // JWT

               "token_type": "Bearer",

               "expires_in": "3600",

               "scope": "openid profile read write email user/Practitioner.read",

               "state": "1299139105028949"

           }

         

           $.ajax({

               headers: {

                   Accept: "application/json+fhir",

                   "Content-Type": "application/json+fhir"

               },

               url: "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007",

               type: "get",

               dataType: "json",

               beforeSend: function (request) {

                   request.setRequestHeader("Authorization", authToken.token_type + " " + authToken.access_token);

               }

              

           });

[Jenni Syed (Cerner)]

I see one request yesterday at 11:13 PM America/Chicago from your application to read Practitioner which included the Bearer token. It looks like that failed due to there being no Accept header sent. This may have been a request sent via Postman based on other headers.

None of the other requests we have contain a populated Authorization header from your application.

Note: As long as you supply the X-Request-Id that was returned to the application in the response headers, we can track down what our server received and how the call was made.

I don't think the code above is doing what you think it's doing - you may want to step through it in a debugger.

~ Jenni

[akshaya parimaladevi]

Thank you Now i am able to get them.

On Fri, Jun 29, 2018 at 9:20 AM akshaya arumugam <akshayapa...@gmail.com> wrote:

Again this is my X-Request-Id →571f14df288dd7825dcdf19ca2457c0b.Authorization header is access token right.

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/59d791c8-5b1a-417c-aa0d-25b5d478ecbc%40googlegroups.com.

[akshaya arumugam]

Using those scopes am not able to get the email id of the user.The id token returned doesn't contain email id.

[Michele Mottini]

I think you are missing a space after 'Bearer' - it should be 

    var token = "Bearer " + token;

 also, not sure what this is supposed to be:

   "header": arr[0],

but it looks wrong to me

  - Michele

  CareEvolution Inc

On Fri, Jun 29, 2018 at 4:15 AM, akshaya arumugam <akshayapa...@gmail.com> wrote:

This is my script to get the details but in example smart app it again shows 401 error.but in postman it runs successfully. var token = smart.server.auth.token; var text="Bearer"+token; var settings = { "async": true, "crossDomain": true, "url": obj1.fhirUser, "method": "GET", "headers": { "Accept": "application/json+fhir", "header": arr[0], "Authorization":text, "Cache-Control": "no-cache", } } var id=''; $.ajax(settings).done(function (response) { var value=response; id=value.id; });

[Michele Mottini]

Using those scopes am not able to get the email id of the user.The id token returned doesn't contain email id.

The id_token contains the URL of the Practitioner resource that contains it - and from your other messages you are already reading (or trying to read) that

  - Michele

  CareEvolution Inc

[akshaya parimaladevi]

Thank you It helped me.

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/CAMK4NFM5nfaiMPYfqMgJutybXqAC5dqMAFcY8ZByUadsY7FWqQ%40mail.gmail.com.

[Jenni Syed (Cerner)]

Note that the email is on the Practitioner: https://fhir.cerner.com/millennium/dstu2/individuals/practitioner/#overview (the contact info) but it is not a required field/may not always be filled out.

The user/Practitioner.read scope is all you need to read the details that we have about the Practitioner/current user.

Regards,

Jenni

[akshaya arumugam]

Thanks for the help.I have one more doubt to ask how authorization and authentication is working,in test application there is an username and password given using that I am authenticating the application.How it validates that the entered username and password is valid one?For example,I have an application I placed it in cerner there are multiple users to my application,from that one user is trying to authenticate it how come it validates the user whether he is valid user or not to my application? Is there any unique id or key field will be given  or each user is provided with separate id's?

Regards.

Akshaya 

[akshaya arumugam]

Just to simplify my questions - all I need is a unique id for the logged in user authenticated by cerner. Using this ID i will be able to see if he/she has permissions to view my external website data. I can check if this ID is present in my external website and will be showing further information. 

Or is there a better method to validate the same cerner logged in user to access external website data.. This external website restricts information to certain users not all users logged / authenticated into cerner will have access. 

Regards

Akshaya  

[Kol Kheang (Cerner)]

Hi Akshaya,

As part of a successful /token response call from the Authorization server, you'll get username as well as user (user id) of the logged in user. 

Regards,

Kol

[akshaya parimaladevi]

The below is the response or id token which i recieved in this which one is id of the user how should I identify it

 {

 "sub": "portal",

  "aud": "e34e88d7-e646-4688-bbfa-7a8ad310aa6b",

  "profile": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007",

  "iss": "https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/",

  "name": "Portal, Portal",

  "exp": 1530009088,

  "iat": 1530008488,

  "fhirUser": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"

}

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/3f43e06d-1adc-4776-a10a-bf2d58b099e2%40googlegroups.com.

[Kol Kheang (Cerner)]

Hi Akshaya,

That is a different response than what I'm talking about.  I'm talking about this POST to the token endpoint here: https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/token.

The response is in this format:

{
    "need_patient_banner": true,
    "id_token": "...",
    "smart_style_url": "https://smart.sandboxcerner.com/styles/smart-v1.json",
    "encounter": "...",
    "token_type": "Bearer",
    "access_token": "...",
    "refresh_token": "...",
    "patient": "...",
    "scope": "... launch online_access openid profile",
    "expires_in": 570,
    "user": "4464007",
    "tenant": "...",
    "username": "portal"
}

As you can see, "user" and "username" fields represent the currently logged in user.

Kol

[akshaya parimaladevi]

As you mentioned above in that is user is the id of the current user?And also when and how should I get this response in cerner.Will you please specify?

Thanks,

Akshaya

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/c536bff5-1e52-4ef9-9ca6-ecb510d54aa4%40googlegroups.com.

[akshaya parimaladevi]

I know the token is got from the response. Just I want to make sure that is user is the ID?

Thanks,

Akshaya

[Kol Kheang (Cerner)]

Yes, user is the user ID of the username of the currently logged in user.

Regards,

Kol

[akshayapa...@gmail.com]

Thank you so much.

 

Regards

Akshaya

 

Sent from my Windows 10 phone

--

You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To post to this group, send email to cerner-fhir...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/e9ed6779-94ce-43eb-89b1-7c950cbffc93%40googlegroups.com.

[akshaya arumugam]

1.How the id of the user is specified or given and how it is also available in my app to validate?

2.Where can i get the domain name?

3.What is that FHIRPLAY in the login page?

Regards,

Akshaya

[Kol Kheang (Cerner)]

Hi Akshaya,

1. How the user id is assigned is an implementation detail of the EHR.  The app shouldn't need to know this detail.  Regarding how your app validates the users is up to your implantation.  One way that I could think of is to work with your customer to get a list of approved users.  Then the app can check and validates the currently logged in user with the pre-approved users.

3. FHIRPLAY in the login page represents the Sandbox domain/environment that you can use to test your apps against Cerner's implementation of SMART on FHIR.

2. The 'FHIRPLAY' domain value is not returned.  However, this domain value is represented uniquely by the tenant id ("tnt" param) that is returned with the /token call.  For FHIRPLAY, the tenant id is represented by this ID: 0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca.  See this page for more info: https://fhir.cerner.com/millennium/dstu2/#service-root-url


Regards,

Kol

[akshaya arumugam]

how to check the login session is valid or not?

Regards

Akshaya

[Daya]

I will be interested in knowing this too. Our need is to issue a JWT in our app for the Cerner authenticated user that has an active session.

~Daya

[Jenni Syed (Cerner)]

Daya,

As Kol mentioned, the bearer token you receive shouldn't be used to secure your application/you shouldn't need to validate it beyond making sure the correct state comes back. From that point forward, it should only be used to call the Cerner FHIR server implementation.

If you want to use the id_token as a way to "log in" to your application, you'll want to make sure you validate it. You can see more information on this here: https://fhir.cerner.com/authorization/openid-connect/

And an example of someone that is using this to help establish a session in their app: https://groups.google.com/d/msg/cerner-fhir-developers/pScQXXAAJf4/KYkFSGwnCAAJ (I think there are several posts about this on the google group, so you can search for things like id_token and openid to find others).

Again: the bearer token should *not* be used to secure your application, but the openId portions can be used to establish a session with your application servers. You should make sure to validate that the token is from an issuer you trust, and that the users have access to your application (however you enforce that in your business model).

~ Jenni