Workflow or API calls:
Reminder: If this is referring to a client domain or EHR activity—not the public sandbox—do not include API request data or live patient data.
Background Information:
Failure to provide answers will impact our ability to respond in a timely and effective manner
Developer questions:
Are you an OPN Member? Yes / No
Have you signed up to be in the Healthcare Developer Track? Yes / No
Are you a registered Code Program member? Yes / No
Does your App have a presence on the Oracle Healthcare App Marketplace? Yes / No
Are you developing on behalf of an Oracle Health client?
If so, which client:
Application's Client ID and App ID, if relevant:
App ID: c388f6bf-1c33-4566-a5bc-249e990ea2bf
Client ID: b1e2a292-fbe4-460a-be33-582e572abbbe
Expected Result
When making a request to the Specimen FHIR resource from our SMART on FHIR application in the Cerner sandbox environment, I expect to receive successful access since the system/Specimen.read scope has been added to our application registration in Cerner Central.
I updated the scopes for our sandbox application (Application ID: c388f6bf-1c33-4566-a5bc-249e990ea2bf, Client ID: b1e2a292-fbe4-460a-be33-582e572abbbe) to include Specimen.read. However, a Cerner analyst working with us on the hospital tenant reports that he does not see the Specimen.read scope available for this app in his Cerner Central view, which appears to be the version deployed to the Lifebridge sandbox environment.
This is leading me to believe there may be a propagation or syncing issue between the app registration in our developer sandbox and the hospital-side instance of the app, similar to how Epic requires customers to upgrade to a newer version of the application to gain new scopes.
Actual Result:
X-Request-Id / Cerner-Correlation-Id / opc-request-id:
Date/time of the example:
Despite having system/Specimen.read listed in our scope request, we receive a 403 Forbidden response with:
error: "insufficient_scope"
error_description: "no_scope_for_resource_path"
scope=system/Specimen.read system/Patient.read system/Encounter.read ...
and the returned token does not contain Specimen.read in the scp claim.
We have confirmed:
- The application is registered as SMART v1 (screenshot attached).
- We are using the correct v1 scope format (system/Specimen.read).
- Other resources (Patient, Encounter, Observation, etc.) are accessible as expected.
Example token request:
"cerner-correlation-id": "5718aeb9-3fef-470f-8562-5ccbc97b4fe5"
"date": "Mon, 28 Jul 2025 15:21:14 GMT"
Scopes provided:
"Response Body": "{\"access_token\":\"<access_token>",\"scope\":\"system\\/Condition.read system\\/DocumentReference.read system\\/DocumentReference.write system\\/Encounter.read system\\/MedicationRequest.read system\\/NutritionOrder.read system\\/Observation.read system\\/Observation.write system\\/Patient.read system\\/Procedure.read system\\/ServiceRequest.read\",\"token_type\":\"Bearer\",\"expires_in\":570}"
Example failed specimen request:
- X-Request-Id: e1234567-89ab-4cde-8f12-3456789abcde
- Cerner-Correlation-Id: abc12345-def6-7890-ghij-klmnopqrstuv
- opc-request-id: opc-4567abcd-89ef-0123-ghij-456789klmnop
Example response:
"Response Body": "{\"message\":\"code=\\\"urn:cerner:error:oauth2:resource-access:insufficient-scopes\\\", error=\\\"insufficient_scope\\\", subcode=\\\"no_scope_for_resource_path\\\"\",\"code\":403}"
Date/time of the example
- Timestamp (UTC): 2025-07-29T15:22:10Z
Does the hospital tenant need to update their version of our application or somehow approve the additional scopes? What could be causing the issue where the scopes I've set in code console show specimen added, but in the cerner analyst's view they are not there?
Screenshot: Sandbox Cerner Central from analyst
Our view of our application
