Skip to Main Content

SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

System client authentication using JWT failing

user-wfwr1Jun 21 2023 — edited Jun 26 2023

I have created a System account in the Code Console. Using the client_id and secret of that account, I am able to use the sandbox authorisation server and a client_credentials grant_type to obtain an access token.

I am now trying to use the JWT client authentication, as described in the Authorisation documentation, to obtain an Access Token, but am failing every time, with a 401 Unauthorized with the following body:

{ 
"error": "invalid_client", 
"error_uri": "https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/826bf054-f12e-48d9-9e74-1b8db5ffaa44?client=unknown&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d" 
}

I have uploaded to the System account a JWK Set which includes a public key with the same “kid” as that in the JOSE Header of the JWT, and which matches the private key used to sign the JWT.

One of several access requests I have attempted is:

POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
Host: authorization.cerner.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <removed>
Content-Length: 59

grant_type=client_credentials&scope=system%2FEncounter.read

The associated Correlation ID reported in the header of the error response is: 826bf054-f12e-48d9-9e74-1b8db5ffaa44.

The above example is using an EC key-pair and the ES384 algorithm to sign the JWT. I have also tried an RSA key-pair and the RS384 algorithm, with the same result.

What am I doing wrong?

This post has been answered by user-wfwr1 on Jul 3 2023
Jump to Answer
Comments
Post Details