SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

Error Code:urn:cerner:error:authorization-server:client-assertion:jwt-bearer:invalid-signature

David MurphyMay 19 2025

Workflow or API calls:

I'm attempting to generate a JWT token for use with Cerner FHIR R4 using my client_id but with the Cerner sandbox. I'm following Example Backend Services Flow - SMART App Launch v2.2.0 .

First, I call the Well-known config endpoint and get the token URL

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/hosts/fhir-ehr-code.cerner.com/protocols/oauth2/profiles/smart-v1/token

Then, I call the token URL with my client_assertion

{"client_assertion":"eyJraWQiOiI2NjQxM2Y0YS04MmQ3LTRlZGItODI2Mi01NDVkZDRiZTRjNjQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJleHAiOjE3NDc2NzIwMzYsInN1YiI6IjY2NDEzZjRhLTgyZDctNGVkYi04MjYyLTU0NWRkNGJlNGM2NCIsImF1ZCI6Imh0dHBzOi8vYXV0aG9yaXphdGlvbi5jZXJuZXIuY29tL3RlbmFudHMvZWMyNDU4ZjItMWUyNC00MWM4LWI3MWItMGU3MDFhZjc1ODNkL2hvc3RzL2ZoaXItZWhyLWNvZGUuY2VybmVyLmNvbS9wcm90b2NvbHMvb2F1dGgyL3Byb2ZpbGVzL3NtYXJ0LXYxL3Rva2VuIiwiaXNzIjoiNjY0MTNmNGEtODJkNy00ZWRiLTgyNjItNTQ1ZGQ0YmU0YzY0IiwianRpIjoiYjJkNjg5MTgtYzNiMy00ODIzLWIwYmYtZTg3ZGRmMDM4ZWMxIiwiaWF0IjoxNzQ3NjcxNzM3fQ.HIao1LJigxZzylOyYeuFjrWfp0XX6A5cP0MjB6wFpDXUIyIYG7UBJOloa1w-OywoT5q-4zFNEPjiF0HCzjSFQNuY7LqzS4lGBSOBijgD5NJgqrBm96BD8CxujJl3nNvVzr8fBCPZVixKrBFnDX20a4Vanxume8KEL1s_V3Im5nEDBBbmmloXtto9fRyCZqkeE6JP4lvEPk1Ip2sJrSN30KrWKQCbun4ZU8h4vEWhswnz5YiMPoLPCcKvxN0fm1-ih2JuhpX2U950v2FO3oBNzQXPcS9M3S8uS4-HJwopjB3mQqY3Wgj0je8hixGI-SQsU5FUUvgmm3WJ-SGVv0doQA4yvMW-YDgH10KFVDuhnf1HHfNPA6k72cDc3q6LI6vmiT614ZGJ-z1-ra88rxMe1kFWKrSd622hPupIwV8R7uqOzRe4w0DsCyZnlWbuccu2LarUfuGqQnbuzHBbVtpggBOd3x0l3o_TgXxRVXPgcI4_CTwcvTUsg0VIHgGb8Fg7","client_assertion_type":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer","grant_type":"client_credentials","scope":"system/Patient.read"}

And I get an invalid_client error due to invalid-signature. I've verified that I'm using RS384 and that jwt.io confirms the structure of the client_assertion.

{"error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aclient-assertion%3Ajwt-bearer%3Ainvalid-signature/instances/33f6fc04-d91f-4276-a3df-d23562885f4a?client=66413f4a-82d7-4edb-8262-545dd4be4c64&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d","error":"invalid_client"}

JWKS (configured at my JWKS URL):

{"kty":"RSA","n":"pNPwAWCqsjJXbDXddA_Cgy5hyuuNYmjSZtCv8LDiJv4htteVjUOYtRgHJK5qs4BeFULcepR72sPlxuFUWMYrWih6-QOkO7msXDD06SEHT1eBx32EHb1hNk49QK6An4GtC44Kt5OXDngJj53wKFgMvL0IylhIrrnoBZ3eL6NXITPcNg7Rk6sqvIiHk4dIGMgf2Pevb876THI8puSax55Zwn56yp4thbQNjnVxd6R-mSbqqGhKZa5jhIPMykAdr4GSHbg5cnG_H9t9-BLaYeCLVaXGD0n_dTZUucgkjxzJpch2IBJPpw2zVuMPGosRFOSQQCON69fQHLmb0JDiTqfbpdE6f0p2hJSx1oXcsQNMvdpAXndcpeQAfQACsindbRws3dRM7AOtSsdY79n-5YYoCyziB3F5HERCrgpD-CjsM1GsFQrXcrhLYJ6Daz5GOV5TaCDMwAATDHV3kic7OAVGMS9ZdpwKFNRhJigkwFUfNoA9K9XvLRutjy2xE_atTBrv","e":"AQAB"}

Background Information:

Failure to provide answers will impact our ability to respond in a timely and effective manner
Developer questions:

Are you an OPN Member? Yes
Have you signed up to be in the Healthcare Developer Track? No
Are you a registered Code Program member? Yes
Does your App have a presence on the Oracle Healthcare App Marketplace? Yes

Are you developing on behalf of an Oracle Health client?
No

Expected Result:

JWT generated and returned by Cerner FHIR.

Actual Result:

Cerner-correlation-id af9ffc73-5032-4755-ad96-ba11a89b143c

This post has been answered by David Murphy on May 19 2025

Jump to Answer

Added on May 19 2025

2 comments

107 views