Stream: inferno
Topic: User-Level Access token
Sumanth Bandaru (Feb 08 2022 at 17:30):
Hello Team,
I have a question on User-level access token in EHR Practitioner Launch. When the app is launched in the context of this FHIR Patient (launch/patient scope with patient selection screen to select one patient), the ID token sent back from authorization server will contain fhirUser claim which is the Url of patient FHIR resource (Inferno reference server has patient FHIR resource). Can this access token be used to pull resources of an other patient that a practitioner can access or it can only be used for the patient that is selected from patient selection screen?
Thanks
Stephen MacVicar (Feb 08 2022 at 18:47):
If user-level scopes were requested during the launch (e.g. user/Patient.read), then the user could access any of those resources that they are allowed to, not just those for the current patient. If the user should only be allowed to access resources for the current patient, then patient-level scopes need to be used. This distinction is true even if the user is a Patient, as there are cases where a patient could have access to more than just their own data (such as a parent and child).
The fhirUser claim represents the current user, not the current patient.
Sumanth Bandaru (Feb 08 2022 at 20:27):
Thank You very much Stephen.
Related to fhirUser claim I found this ID token from Inferno reference server tests, this looks like a patient resource url. Here is the link to inferno EHR practitioner app launch tests I just ran.
https://inferno.healthit.gov/inferno/iikvUnq9I6r/
Here is the ID Token from the tests
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIiLCJhdWQiOiJTQU1QTEVfQ09ORklERU5USUFMX0NMSUVOVF9JRCIsImlzcyI6Imh0dHBzOi8vaW5mZXJuby5oZWFsdGhpdC5nb3YvcmVmZXJlbmNlLXNlcnZlci9yNCIsImV4cCI6MTY3NTg3NTg3NiwiaWF0IjoxNjQ0MzM5ODc2LCJmaGlyVXNlciI6Imh0dHBzOi8vaW5mZXJuby5oZWFsdGhpdC5nb3YvcmVmZXJlbmNlLXNlcnZlci9yNC9QYXRpZW50Lzg1In0.R6pUgECP3qOPxgTpFAVaaEIuLwfd0ewb2GQwnnbpRwjGdAdgAHRJDZzD8tgRbhMHoRuJp8oWxACBW65FlwdHFizjFfnP_TfSa13GyI4ZrC-1gfNg5ER1m-xIxWB0Puy0hmW0nJEpTeWQ7ytjoTGKd0KTtOibf3Nq9e9wt8wxKxqOgBaz-_1fMVOqGm-19yPlOy7XvxIg_8RMlb-56CXP7wcsobA_H5jspxTNB90uU28mmoMlL6w0xvEbAkPgu1tguEqLwaGXonkBWJDd7e4IOJ4sA11AlZ2PUVhCQa9yx-r9GHfDY06h1rJpLhSOAcAZCumxhMZuovNcn3oaIrjk_g
Let me know your thoughts here.
Stephen MacVicar (Feb 09 2022 at 12:50):
fhirUser could be a Patient, but doesn't have to be. The reference server is just for demonstration purposes. You should not infer any certification requirements from its data.
Sumanth Bandaru (Feb 09 2022 at 14:51):
Ok Gotcha. Thanks for the clarity. I appreciate your help.
Last updated: Apr 12 2022 at 19:14 UTC
