Verifying validity of Cerner endpoint urls

[Francesca Ricci-Tam]

Hello,

I have a security-related question.

Our confidential patient-facing app, still under development, has been integrated with the Cerner sandbox, and we have been made aware of the directory of Cerner endpoints here: https://github.com/cerner/ignite-endpoints/blob/main/dstu2-patient-endpoints.json

We want to safeguard against the case where a bad actor might try sending us a fake Cerner endpoint url -- complete with conformance metadata that redirects to a fake authorizeUri. If we are supplied with a provider endpoint to integrate with, is there a way to tell from the conformance metadata whether it was issued from Cerner's servers rather than some illegitimate source? In other words, in what way can we distinguish/recognize a valid Cerner endpoint url before the app launch gets to the point of redirecting to the authorizeUri?

Thanks,

Francesca Ricci-Tam

[Fenil Desani (Cerner)]

Hello,

That list of endpoints (https://github.com/cerner/ignite-endpoints/blob/main/dstu2-patient-endpoints.json) is obsolete. For Patient App, you would be using the endpoint provided to you, pertaining to a Health System, and  discover the Authorization URI from the Conformance Statement - http://fhir.cerner.com/authorization/authorization-specification/#discovery

Thanks,
Fenil

[Francesca Ricci-Tam]

Hello Fenil,

thanks a lot.

One more point, though -- where would we get the endpoint from? Will we be provided with an up-to-date directory of endpoints once we are in production?

Cheers,

Francesca

[Fenil Desani (Cerner)]

Currently, you would request a connection to a site and we would enable that on case by case basis. More information can be found here -

https://groups.google.com/g/cerner-fhir-developers/c/Yf6sxjg0I7U