IOS Mobile App Authentication

[Himanshu Dhingra]

Hello - Along with SMART provider app, we are building a native IOS mobile App for patients that will need to connect to Cerner FHIR server. I am not so clear on the steps to authorize the IOS mobile app. Can you help by answering the below questions:

a) Is it required to register the mobile app with Cerner and get Client ID even though we will ask the user to login with its credentials to the hospital system. Or, can we register the client on first authentication?

b) If it is required to pre-register the mobile app, what will be the redirect url here as it is a native IOS app?

c) Once patient successfully authenticates and gets access/refresh token, we are thinking of using the refresh token to get a new access token for subsequent API calls. Do you know what is the max life of a refresh token? 

Thanks,

Himanshu

[Kol Kheang (Cerner)]

Hello Himanshu,

a) Yes, it's required to register your mobile app for an OAuth2 client id prior to making the call to the APIs.

b) It's whatever your app requires.  See this section: http://fhir.cerner.com/authorization/#native-client-applications-on-mobile-platforms

c) The access token is valid for about 10 minutes.  There are 2 types of scopes that allow refresh tokens: online_access and offline_access.  Depending on which one, it can vary.  Please see this section http://fhir.cerner.com/authorization/#utilizing-refresh-tokens for more details.

Thanks,

Kol

[Himanshu Dhingra]

Thanks Kol ! 

a) can we test the patient login flow (standalone mobile app) on Cerner Sandbox? Which patient shall we use and what credentials can we use to login?

b) Do you have an example of redirect url from the mobile app? Not able to figure out from the documentation how this will actually work from mobile app, so any examples or pointers from your end will be helpful.

Himanshu

[Kol Kheang (Cerner)]

Hi Himanshu,

a) Yes, please see this doc: https://groups.google.com/d/msg/cerner-fhir-developers/edPUbVPIag0/LgD4mGTXBAAJ

b) Here is an example redirect_uri for a native client from the authorization doc: sample.application://callback

Thanks,

Kol

[Himanshu Dhingra]

Hi Kol - we were able to make some progress with the patient facing mobile app and able to connect with Cerner sandbox. I have a few follow up questions:

a) Do we need to get the mobile app (patient facing) approved from Cerner? If yes, is the process same as a provider facing SMART app. The FHIR connection in our mobile app to retrieve patient's health record is one of the many capabilities. Would the whole app need to be submitted to Cerner for approval?

b) Is there a plan for Cerner to upgrade to FHIR STU3 version?

Thanks,

Himanshu

[Eric Sornson (Cerner)]

Hi Himanshu!

If your application is direct to consumer it does not need to be validated by Cerner.

We are working on uplifting our APIs to STU3, but cannot comment on that timeline at this time.

- Eric (Cerner)

[Himanshu Dhingra]

Thanks Eric ! Can you please provide more details.

a) I understand, we will still need to register the app with Cerner to get the Client ID and Secret. Is it correct? Do we need to get into an agreement with the Hospital System as well?

b) What information is required for registering the app?

Himanshu

[Himanshu Dhingra]

Hi Cerner Team, can you please reply to my query below:

a) I understand, we will still need to register the app with Cerner to get the Client ID and Secret. Is it correct? Do we need to get into an agreement with the Hospital System as well?

b) What information is required for registering the app?

Thanks,

Himanshu

[Kol Kheang (Cerner)]

Hello Himanshu,

Sorry for the delay.

a) Yes, you'll need to register the app.  Yes, you'll need to work with hospital systems that you license your app to.
b) To try your app out in our Sandbox, you can register your app using code Console. Once there, you can fill out required details about your app.


Thanks,
Kol