SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

Secure sandbox authentication issue

Jeno MatheSep 25 2025

Background Information:

Failure to provide answers will impact our ability to respond in a timely and effective manner
Developer questions:

Are you an OPN Member? No
Have you signed up to be in the Healthcare Developer Track? No
Are you a registered Code Program member? No
Does your App have a presence on the Oracle Healthcare App Marketplace? No

Are you developing on behalf of an Oracle Health client?
If so, which client:

Application's Client ID and App ID, if relevant:
Client ID: 9f28b434-864c-4cb9-9128-f32e3e83651c
App ID: e4933da2-249b-4a67-8ab4-011b7c2af77d

Hello,

I am trying to hit the Patient.read endpoint in the secure sandbox environment, but I'm having trouble retrieving the token.
Of course it works in the standard sandbox.

The steps I've taken:

I have registered an application on https://code-console.sandboxcerner.com/ with the following parameters:

Application Type : System
SMART Version: SMART v1
1. I have retrieved the smart configuration from https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/.well-known/smart-configuration
2. I generated a JWT token using my CLIENT_ID, the token url: https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/hosts/fhir-ehr-code.cerner.com/protocols/oauth2/profiles/smart-v1/token, set the "kid" in the headers and made sure it was generated using RS384
3. I generated a jwks file and uploaded to https://sandboxcernercentral.com/system-accounts for the specific app, in the JSON Web Key set section as json
4. I tried decoding the jwt locally, to make sure that is valid
5. Tried making a POST call to the token url above, with the following:
  data={
  "grant_type": "client_credentials",
  "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
  "client_assertion": <the_generated_jwt_token>,
  "scope": "system/Patient.read"
  },

headers={

"Content-Type": "application/x-www-form-urlencoded"

}

However, I receive the following error:

{'error': 'invalid_client', 'error_uri': 'https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aclient-assertion%3Ajwt-bearer%3Ainvalid-signature/instances/2c0c0a11-1585-4a11-befd-830bc86eb9d5?client=CLIENT_ID&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d'}

I was expecting a valid token which I can then use with the header:

headers = {"Authorization": f"Bearer {token}", "Accept": "application/fhir+json"}

What am I missing? Is my approach using the SMART endpoint wrong?

Thank you in advance.
Jeno

Added on Sep 25 2025

1 comment

52 views

1 mention