Stream: smart
Topic: 'User Info' as part of one of the api call back/ response
Vivek AS (Jan 08 2021 at 05:23):
Does there exist any api call back or response as part of the SMART standard which provides the logged in user information, mainly the operational roles info like 'admin' etc.
Of course there exist a standard endpoint 'GET /connect/userinfo' which will give the above info but this end point is currently not supported by most of the SMART auth servers
Josh Mandel (Jan 08 2021 at 15:04):
We haven't profiled the use of any specific API endpoint for this -- but for our basic "single sign on" use case, the access token response includes an id_token with a fhirUser claim, which is a URL; a client can follow that URL to fetch a resource with details about that user, whether it is a Patient, Practitioner, RelatedPerson, or other person. In other words, we generally prefer to use the fhir API to accomplish this.
Robert Scanlon (Jan 08 2021 at 16:02):
we generally prefer to use the fhir API to accomplish this
In this particular case, is the FHIR resource pointed at by the fhirUser claim the appropriate place to communicate this information? My understanding is it isn't because a concept like 'admin user' is out of scope for FHIR. So it should be put in a separate openid connect claim, outside of what SMART has defined. But I'd like to know if I'm wrong here.
Josh Mandel (Jan 08 2021 at 23:08):
@Robert Scanlon you're not wrong here. Still, while the kind of info you might find by following links from Practitioner --> PractitionerRole and looking at PractitionerRole.codearen't security/user roles, they certainly can be "operational roles info", which was the initial question.
Last updated: Apr 12 2022 at 19:14 UTC
