Skip to first unread message
Cerner FHIR Developers
May 18, 2022, 3:40:15 PM5/18/22
to Cerner FHIR Developers
Developers of patient-facing applications,
As we announced on 4/29/22 [1], Cerner is enabling a series of TLS and DNS checks [2] on applications to provide trustworthy information to patients so they can make an informed decision about which parties they wish to share their health information with and to further secure the Cerner Ignite APIs by making it more difficult for bad actors to impersonate your applications.
These checks will be run as part of the patient facing authorization workflow [3] when your application requests and/or refreshes access tokens. As part of the offline_access token refresh process[4], we will be checking to see if any of your application's TLS or DNS information has changed since the initial patient authorization. If the information has changed, your application's refresh token will be suspended and the user will have to re-approve the application in order to use it. For example, if your application's TLS certificate has expired since the previous refresh token was issued, your application's refresh token will be suspended.
When your application's refresh token is suspended, the following steps are recommended for the user experience and to allow use of the application again:
This functionality is being "previewed" currently in Cerner’s SMART on FHIR sandbox [5] with an anticipated production date of June 1st. Dates are subject to change and will be followed up with an announcement when the features are released more broadly.
OTHER ACTION ITEMS:
Should you need assistance please reach out through the Cerner FHIR Developers Group.
[1] https://groups.google.com/g/cerner-fhir-developers/c/oT5Co4SeyJk/m/b3gkwTJGBAAJ
[2] https://fhir.cerner.com/authorization/application-registration-prerequisites.md
[3] https://fhir.cerner.com/authorization/
[4] http://fhir.cerner.com/authorization/#utilizing-refresh-tokens
[5] https://fhir.cerner.com/millennium/r4/#secure-sandbox
As we announced on 4/29/22 [1], Cerner is enabling a series of TLS and DNS checks [2] on applications to provide trustworthy information to patients so they can make an informed decision about which parties they wish to share their health information with and to further secure the Cerner Ignite APIs by making it more difficult for bad actors to impersonate your applications.
These checks will be run as part of the patient facing authorization workflow [3] when your application requests and/or refreshes access tokens. As part of the offline_access token refresh process[4], we will be checking to see if any of your application's TLS or DNS information has changed since the initial patient authorization. If the information has changed, your application's refresh token will be suspended and the user will have to re-approve the application in order to use it. For example, if your application's TLS certificate has expired since the previous refresh token was issued, your application's refresh token will be suspended.
When your application's refresh token is suspended, the following steps are recommended for the user experience and to allow use of the application again:
- Indicate that the application's access may have been suspended.
- Offer a "more information" link/button, hyperlinked to the value returned in the parameter "error_uri".
- Offer the ability for the user to re-request authorization for your client application.
This functionality is being "previewed" currently in Cerner’s SMART on FHIR sandbox [5] with an anticipated production date of June 1st. Dates are subject to change and will be followed up with an announcement when the features are released more broadly.
OTHER ACTION ITEMS:
- Review the documentation[2].
- Test your patient facing applications to review the user experience by manually walking through the patient authorization flow.
- Make updates as needed to allow Cerner to provide the best description of your application to end users.
Should you need assistance please reach out through the Cerner FHIR Developers Group.
[1] https://groups.google.com/g/cerner-fhir-developers/c/oT5Co4SeyJk/m/b3gkwTJGBAAJ
[2] https://fhir.cerner.com/authorization/application-registration-prerequisites.md
[3] https://fhir.cerner.com/authorization/
[4] http://fhir.cerner.com/authorization/#utilizing-refresh-tokens
[5] https://fhir.cerner.com/millennium/r4/#secure-sandbox
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages