Skip to Main Content
Forums

SMART Launch

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

SMART Launch Auth issues: Missing KIDs

Maninder SinghSep 30 2025

Workflow or API calls:

JWT token validation against JWK endpoint: https://authorization.sandboxcerner.com/jwk

Background Information:

Our application received a JWT token signed with a key ID that was not present in the JWK endpoint at the time of validation, causing authentication failures.

Are you an OPN Member? Yes
Have you signed up to be in the Healthcare Developer Track? Yes
Are you a registered Code Program member? Yes
Does your App have a presence on the Oracle Healthcare App Marketplace? Yes

Are you developing on behalf of an Oracle Health client?
If so, which client:

Application ID

59852ba4-17a9-468a-b085-9af3dddf1d36

Client ID

3d072e97-37f8-4c5a-ae54-d81461d4ea24

Expected Result:

JWT token with kid 2025-09-29T02:43:24.322.rsa should be validated successfully using the corresponding public key from the JWK endpoint.

Actual Result:

JWT validation failed with error: "could not find key ID '2025-09-29T02:43:24.322.rsa' in available keys: ['2025-09-23T02:43:14.896.rsa', '2025-09-25T02:43:19.451.rsa', '2025-09-27T02:43:23.838.rsa']"

The required key was not present at the JWK endpoint at the time of validation but appeared later, suggesting a timing issue between when tokens are signed and when keys are published. This prevented a hospital customer from being able to authenticate into the application.

Questions:

  1. What is the expected key rotation schedule and process?
  2. Are new keys pre-published before being used to sign tokens?
  3. What is the recommended JWK cache TTL to avoid this issue?

X-Request-Id / Cerner-Correlation-Id / opc-request-id:
JWT:

JWT key validation failed - could not find key ID '2025-09-29T02:43:24.322.rsa' in available keys: ['2025-09-23T02:43:14.896.rsa', '2025-09-25T02:43:19.451.rsa', '2025-09-27T02:43:23.838.rsa']. JWT Header: {'kid': '2025-09-29T02:43:24.322.rsa', 'typ': 'JWT', 'alg': 'RS256'}. Full JWT Token: eyJraWQiOiIyMDI1LTA5LTI5VDAyOjQzOjI0LjMyMi5yc2EiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjaHN1bGxpdiIsImF1ZCI6IjNkMDcyZTk3LTM3ZjgtNGM1YS1hZTU0LWQ4MTQ2MWQ0ZWEyNCIsInByb2ZpbGUiOiJodHRwczovL2ZoaXItZWhyLnNhbmRib3hjZXJuZXIuY29tL3I0LzEyZWY0MDBlLWMzYTQtNDM1YS05NjA0LWEzYTE2ZmZlNjdkNS9QcmFjdGl0aW9uZXIvMTk1MjU4NDIiLCJpc3MiOiJodHRwczovL2F1dGhvcml6YXRpb24uc2FuZGJveGNlcm5lci5jb20vdGVuYW50cy8xMmVmNDAwZS1jM2E0LTQzNWEtOTYwNC1hM2ExNmZmZTY3ZDUvb2lkYy9pZHNwcy8xMmVmNDAwZS1jM2E0LTQzNWEtOTYwNC1hM2ExNmZmZTY3ZDUvIiwibmFtZSI6IlN1bGxpdmFuLCBDaHJpc3RpbmUgQSIsImV4cCI6MTc1OTE1ODg3MywiaWF0IjoxNzU5MTU4MjczLCJmaGlyVXNlciI6Imh0dHBzOi8vZmhpci1laHIuc2FuZGJveGNlcm5lci5jb20vcjQvMTJlZjQwMGUtYzNhNC00MzVhLTk2MDQtYTNhMTZmZmU2N2Q1L1ByYWN0aXRpb25lci8xOTUyNTg0MiJ9.E2vkpAjLMSu9nQPayYRupGk5V_uAKn7gXyz4YmxAY-q_7Ywhp88Xz2OdnfBGUsbGxViTjXusKur-idoZmykTLknmpGHXegWmR3bMEJgQj_HZqhqxNyCY-XHPAnl2tgDlfMLt-QPOnypU0lTjZRRui7GguQb04h2i3gsBWLs6r9MqHkcRYwGNQ0XN9yfHUnPDxuT3tO2W-wKd_jTyIE4l_jmYYFuuy5IEBvSvqS3egtw0Ztfxiivwp0novBOicZ0A8hXZdc4XtcQIbQfypYq33lt2fqnFel24SFNrUO0ui3TZc2WNNFAvM9Pu7ks8T53D9tp4cuhzo3wFnc4g7DqUsA

Date/time of the example:

Date/time of the example: September 29, 2025, approximately 02:44 UTC (token iat: 1759158273)
Comments
Post Details
Added on Sep 30 2025
#authorization, #launch, #launch/ehr, #smart
1 comment
35 views