Handling 'Go Back' at patient portal login

[Francesca Ricci-Tam]

Hello,

for background: our patient-facing app is using Smart-on-FHIR for standalone launch.

When a patient logs in (enters username and password) in the portal, then changes their mind and clicks "Deny Access" instead of proceeding, our app's redirect uri is then called with the following query params:

{"state":"REDACTED","error":"access_denied","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Agrant%3Adenied-by-user/instances/696ca944-e03a-45fd-a74d-091b2086da27?persona=patient&client=REDACTED&tenant=REDACTED"}

Can you confirm that the redirect uri gets called with the query param error=access_denied ONLY in the case when the patient clicks "Go Back", and that this never would happen due to some bug/issue that occurs after they clicked "Proceed" instead? I am trying to understand how we can handle the situation gracefully where a patient voluntarily selects to terminate the login process with "Go Back", instead of treating it as an authentication error.

Thanks,

Francesca

[Aaron McGinn (Oracle Cerner)]

When an authorization error occurs, information should be shown [1] to the user that includes a hyperlink to the error_uri returned.

The REDACTED state returns when the user/patient has denied the prompt and does not have access to any resources. There may be other error states that are returned with the error value of access_denied.

[1] https://fhir.cerner.com/authorization/#exception-handling

-Aaron (Oracle Cerner)

[Francesca Ricci-Tam]

Hello Aaron,

so does the fact that a state is returned mean that the user/patient denied the prompt, whereas if there was no state returned, it would indicate something went wrong (and the error value would access_denied in both cases)?

Thanks,

Francesca