Hi Team,
I am reaching out regarding our application WoundZoom which is currently going through the Oracle Health certification process. We are trying to complete the Cerner Endpoint Tests checklist (attached) but are completely blocked and unable to fill any rows in the checklist. I want to explain exactly what we have tried and what is failing.
APPLICATION DETAILS
Application Name: WoundZoom
Client ID: da7de94b-e84a-4d7d-8789-5d787eb38719
Application ID: f1010521-2b4e-4a36-8d51-788c86e2e655
Sandbox Tenant: ec2458f2-1e24-41c8-b71b-0e701af7583d
SMART Version: SMART v2
Contact: dfriedland@woundzoom.com
WHAT WE HAVE SUCCESSFULLY DONE
We have successfully completed the following:
1. Registered our application in the Oracle Health Developer Portal as SMART v2
2. Implemented the full SMART EHR Launch flow in our application
3. Successfully launched the app from the Cerner sandbox and completed the OAuth2 login
4. Successfully retrieved the Patient ID and Encounter ID from the token response
The integration code is working correctly. The problem is entirely with obtaining a valid access token that is accepted by the FHIR API.
ISSUE 1 — SMART v2 Endpoints Not Working (Blocking ALL GET, POST, PUT, PATCH rows)
Since our portal is registered as SMART v2 we tried the SMART v2 endpoints:
SMART v2 Authorize endpoint → Returns 404 Not Found:
https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v2/personas/provider/authorize
SMART v2 Token endpoint → Returns an HTML page instead of a token:
https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v2/token
We then tried falling back to the SMART v1 endpoints. The login completes and we receive a token. However every single FHIR API call — including basic GET calls like GET Patient — returns:
403 Forbidden
code: insufficient_scope
subcode: no_scope_for_resource_path
This means we cannot make ANY authenticated FHIR API call. We cannot GET Patient, GET Encounter, GET Condition, GET Observation or any other resource. Therefore we cannot fill a single row in the GET, POST, PUT or PATCH sheets of the checklist.
The only calls we were able to make were using the public fhir-open endpoint which does not require a token and does not return a CorrelationID. The checklist requires authenticated calls with CorrelationIDs so those results are not valid for the checklist.
We need you to either:
1. Enable SMART v2 endpoint support for sandbox tenant ec2458f2-1e24-41c8-b71b-0e701af7583d, OR
2. Advise the correct SMART v2 authorize and token endpoint URLs for this sandbox, OR
3. Advise how to use SMART v1 endpoints with a SMART v2 portal registration without getting 403 errors
ISSUE 2 — POST Rows for Certain Resources Cannot Be Filled Even After Issue 1 is Resolved
Even after Issue 1 is resolved, the following resources return 405 Method Not Allowed when we attempt a POST in the shared sandbox:
- Patient POST
- Practitioner POST
- Location POST
Since these calls are blocked we cannot obtain a CorrelationID for them.
We need your guidance on:
1. How should we fill these POST rows in the checklist?
2. Should we leave them blank with a note explaining the 405 sandbox restriction?
3. Is there a dedicated sandbox tenant where these POST calls are permitted?
SUMMARY OF WHY THE CHECKLIST IS COMPLETELY EMPTY
GET sheet — All rows empty:
Blocked by SMART v2 token issue. Cannot make any authenticated FHIR call.
POST sheet — All rows empty:
Blocked by SMART v2 token issue for all resources.
Additionally Patient, Practitioner and Location are blocked by sandbox restriction.
PUT sheet — All rows empty:
Blocked by SMART v2 token issue.
PATCH sheet — All rows empty:
Blocked by SMART v2 token issue.
We are ready and able to complete the entire checklist as soon as we have a working access token. Please advise how to proceed.
Thank you for your urgent assistance.
Cerner Endpoint Tests.xlsx