Skip to Main Content
Forums

SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

SMART V2 Scopes Are Not Returned Despite Requesting, SMART V1 Works Fine

Joe Tonelli14 hours ago

Background Information:

Are you an OPN Member? Yes
Have you signed up to be in the Healthcare Developer Track? Yes
Are you a registered Code Program member? Yes
Does your App have a presence on the Oracle Healthcare App Marketplace? No
Are you developing on behalf of an Oracle Health client? No

Hello - I'm working on a SMART/FHIR application, and have noticed differences between an application that chooses SMART V2 and SMART V1 scopes. Despite my best efforts, I cannot get an application with the SMART V2 option selected to return an access token with proper scopes. I have another very similar app set up in code-console that does work, the only difference (that I can see) is I've selected SMART V1.

Both apps:

  • have application type: patient
  • have type of access: Offline
  • have application privacy: confidential
  • authorize token requests via signed JWT/client assertion - referencing the secret JWK set in Cerner System Account (no PKCE)
  • request the same scopes (relative to availability for V1/V2)
  • Same product family and products - Millennium/Oracle Health FHIR APIs for Millennium: FHIR R4, All

Authorization url pattern for both apps: https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/patient/authorize?aud=https%3A%2F%2Ffhir-ehr.cerner.com%2Fr4%2Fec2458f2-1e24-41c8-b71b-0e701af7583d&client_id=ce9a6541-6e1b-4b99-8576-a7153774ebf1&response_type=code&scope=launch%2Fpatient+offline_access+openid+fhirUser+patient%2FAccount.read+patient%2FAllergyIntolerance.read+patient%2FAppointment.read+patient%2FBinary.read+patient%2FCarePlan.read+patient%2FCareTeam.read+patient%2FCondition.read+patient%2FConsent.read+patient%2FCoverage.read+patient%2FDevice.read+patient%2FDiagnosticReport.read+patient%2FDocumentReference.read+patient%2FEncounter.read+patient%2FFamilyMemberHistory.read+patient%2FGoal.read+patient%2FImmunization.read+patient%2FInsurancePlan.read+patient%2FMedia.read+patient%2FMedicationAdministration.read+patient%2FMedicationDispense.read+patient%2FMedicationRequest.read+patient%2FNutritionOrder.read+patient%2FObservation.read+patient%2FPatient.read+patient%2FPerson.read+patient%2FProcedure.read+patient%2FProvenance.read+patient%2FQuestionnaire.read+patient%2FQuestionnaireResponse.read+patient%2FRelatedPerson.read+patient%2FSchedule.read+patient%2FServiceRequest.read+patient%2FSlot.read+patient%2FSpecimen.read+user%2FAccount.read+user%2FAllergyIntolerance.read+user%2FAppointment.read+user%2FBinary.read+user%2FCarePlan.read+user%2FCareTeam.read+user%2FCondition.read+user%2FConsent.read+user%2FCoverage.read+user%2FDevice.read+user%2FDiagnosticReport.read+user%2FDocumentReference.read+user%2FEncounter.read+user%2FFamilyMemberHistory.read+user%2FGoal.read+user%2FImmunization.read+user%2FInsurancePlan.read+user%2FMedia.read+user%2FMedicationAdministration.read+user%2FMedicationDispense.read+user%2FMedicationRequest.read+user%2FNutritionOrder.read+user%2FObservation.read+user%2FPatient.read+user%2FPerson.read+user%2FProcedure.read+user%2FProvenance.read+user%2FQuestionnaire.read+user%2FQuestionnaireResponse.read+user%2FRelatedPerson.read+user%2FSchedule.read+user%2FServiceRequest.read+user%2FSlot.read+user%2FSpecimen.read+user%2FOrganization.read+user%2FLocation.read+patient%2FLocation.read&redirect_uri={{redirect-uri}}

Token Request Pattern for both apps:

curl --location 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/hosts/fhir-ehr.cerner.com/protocols/oauth2/profiles/smart-v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri={{redirect-uri}}' \
--data-urlencode 'client_id=ce9a6541-6e1b-4b99-8576-a7153774ebf1' \
--data-urlencode 'code=authCode-12345' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion={{signedJWT}}'

Working Smart V1 app:

Application ID: c3ccfbac-1b94-49d2-9210-ebf3a3d5aa6e

Client ID: ce9a6541-6e1b-4b99-8576-a7153774ebf1

Behavior: Returns properly scoped access_token after authorization and token exchange.

Non-functional Smart V2 app:

Application ID: 21c3403b-7c8a-4310-9012-9a7f89c3b4cf

Client ID: 683b46e9-105e-4cf0-8db4-e81cdc28beb0

Behavior: Returns an access_token scoped with only "fhirUser launch/patient offline_access openid",
Comments
Post Details
Added 14 hours ago
#authorization, #authorization/scopes
1 comment
8 views