SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

401 tenant-mismatch errors in prod

Vlad AbashynMay 27 2025

Workflow or API calls:

We are developing a patient-facing application that uses offline access via OAuth. The authorization workflow and FHIR data retrieval have been successfully tested in the sandbox environment.

In production, after a patient completes the OAuth authorization flow, both access and refresh tokens are issued successfully. Despite this, every subsequent request to https://fhir-myrecord.cerner.com/r4/... returns a 401 error with a tenant-mismatch message.

Please advise on the possible causes of this tenant mismatch in production, given that the API calls are made using the access token issued in production and the access token appears valid though its payload is missing:

Refresh token looks allright:

{
 "id": "68f577e5-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
 "secret": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX",
 "ver": "1.1",
 "type": "offline_access",
 "profile": "smart-v1",
 "persona": "patient"
}

Background Information:

Developer questions:

Are you an OPN Member? No
Have you signed up to be in the Healthcare Developer Track? No
Are you a registered Code Program member? Yes
Does your App have a presence on the Oracle Healthcare App Marketplace? No

FHIR Endpoint BaseURL: https://fhir-myrecord.cerner.com/r4/Y62ncCuwN85GGa7s0iz44XRnQoc9qr60/

TokenEndpoint: https://authorization.cerner.com/tenants/Y62ncCuwN85GGa7s0iz44XRnQoc9qr60/hosts/fhir-myrecord.cerner.com/protocols/oauth2/profiles/smart-v1/token
https://fhir-myrecord.cerner.com/r4/Y62ncCuwN85GGa7s0iz44XRnQoc9qr60/

Requested Scopes: ["offline_access","openid","patient/AllergyIntolerance.read","patient/Appointment.read","patient/Binary.read","patient/CarePlan.read","patient/CareTeam.read","patient/Condition.read","patient/Consent.read","patient/Coverage.read","patient/Device.read","patient/DiagnosticReport.read","patient/DocumentReference.read","patient/Encounter.read","patient/FamilyMemberHistory.read","patient/Goal.read","patient/Immunization.read","patient/InsurancePlan.read","patient/MedicationAdministration.read","patient/MedicationDispense.read","patient/MedicationRequest.read","patient/NutritionOrder.read","patient/Observation.read","patient/Patient.read","patient/Person.read","patient/Procedure.read","patient/Provenance.read","patient/Questionnaire.read","patient/QuestionnaireResponse.read","patient/RelatedPerson.read","patient/Schedule.read","patient/ServiceRequest.read","patient/Slot.read","profile"]

Actual Result:

{
   "Date": "Sun, 25 May 2025 18:43:39 GMT",
   "Opc-Request-Id": "/636A1433800641DA2AB779CF3CA6F47D/C3F6065D19233951F2A2FE286DCDFCCE",
   "Server": "Oracle API Gateway",
   "Www-Authenticate": "Bearer realm=\"fhir-myrecord.cerner.com\", error=\"invalid_token\", error_description=\"Token is not valid for this tenant\"",
}
{
   "message": "code=\"urn:cerner:error:oauth2:resource-access:tenant-mismatch\", error=\"invalid_token\", error_description=\"Token is not valid for this tenant\"",
   "code": 401
}

This post has been answered by Kol Kheang-Oracle on Aug 22 2025

Jump to Answer

Added on May 27 2025

#authorization, #authorization/patient-app, #fhir, #millennium

8 comments

250 views

4 mentions