Does refresh token require confidential client registration

66 views
Skip to first unread message

Yong Wu

unread,
Oct 4, 2019, 1:58:23 PM10/4/19
to Cerner FHIR Developers
Hi,

Per folk' suggestion from SMART ON FHIR group, I am sending the question here.

With new proposed ONC rule, it may require refresh token for 3 months. The question is "do I need to register as a confidential client or public client"? 
Refresh token usually requires client secret to be issued so that it is used to request access token as well as refresh token or refresh token to access. If I check online_access in registration, there is no place to add client secret. If I need to register as a confidential app, I won't be able to answer some of the question to apply for a system account, like which Cerner associate I am working with, and which Cerner client it is because I am just doing proof-of-concept development and testing.

Would anyone be able to shine some lights on this?


Hank DeDona

unread,
Oct 4, 2019, 2:50:05 PM10/4/19
to Cerner FHIR Developers
Hey Yong,

    In order to refresh an access token for 3 months, you'll need to request what is referred to as an "offline_access" refresh token which will require you to request and acquire a client secret. A client secret, however, is not required for "online_access" refresh tokens  as they are only valid for as long as the user is logged in for. Does this answer your question?

Thanks,
Hank (Cerner)

Yong Wu

unread,
Oct 4, 2019, 3:33:38 PM10/4/19
to cerner-fhir...@googlegroups.com
I could certainly choose offline_access when add a new app. However, it requires a system GUID, which I assume is the client secret. 
In order to get a system GUID, I will need to apply a system account.
In order to submit the application for system account, I need to fill out quite some information about which Cerner associate I am working with. But I don't have this because I am just doing proof of concept. 

Am I understanding this correctly that I will need to get a system account? If yes, how am I filling out Cerner associate contact info?

-Yong

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/fbb14a11-8e58-401b-9a18-b7d33450454c%40googlegroups.com.

Jenni Syed (Cerner)

unread,
Oct 4, 2019, 3:36:06 PM10/4/19
to Cerner FHIR Developers
Hi Yong,

Follow the directions given on our registration page: https://fhir.cerner.com/authorization/#registering-a-system-account

This tells you how to fill out the fields and what information to provide when requesting a sandbox system account to be used in our public sandbox.

Thanks,
Jenni
Reply all
Reply to author
Forward
0 new messages