Skip to Main Content
Forums

SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

Issues using OpenID Connect with SMART Authorization - JWE

C AMay 28 2025

Workflow or API calls:

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?aud=https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d&?audience=https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/hosts/fhir-ehr-code.cerner.com/protocols/oauth2/profiles/smart-v1/token

Background Information:

Failure to provide answers will impact our ability to respond in a timely and effective manner
Developer questions:

I am using Keycloak to provide authentication services, with Cerner Authorization as a OpenID provider. I am able to successfully authenticate, but Keycloak is unable to decrypt the returned JWE token. Does Cerner support returning a JWT instead of a JWE? I have also tried using the authorization endpoints provided here: https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/.well-known/openid-configuration but the endpoints respond with a 404. https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/.well-known/smart-configuration provides usable OpenID endpoints.

The JWKS server has been registered in my CernerCentral account, but I receive a different kid that Keycloak does not have:

{
"zip": "DEF",
"kid": "2025-05-28T03:00:54.995.oct",
"cty": "JWT",
"enc": "A128CBC-HS256",
"alg": "dir"
}

How do we obtain the symmetric key needed for 'dir' algorithm?

Are you an OPN Member? No
Have you signed up to be in the Healthcare Developer Track? No
Are you a registered Code Program member? Yes
Does your App have a presence on the Oracle Healthcare App Marketplace? No

Are you developing on behalf of an Oracle Health client? No
If so, which client:

Application's Client ID and App ID, if relevant:

Application ID: 334a5a2c-b528-48ee-ae62-f19ef7d9a3a8

Client ID: 01803a1f-79f4-4559-a3e5-6e63b498db9f

Expected Result:

A decodable JWT is returned, or a private key is provided to allow decryption

Actual Result:

X-Request-Id / Cerner-Correlation-Id / opc-request-id: N/A, successful authentication
Date/time of the example: 2025-05-28T03:00:54.995
This post has been answered by Samuel Denning-Oracle on May 29 2025
Jump to Answer
Comments
Post Details
Added on May 28 2025
3 comments
270 views