SMART Authorization

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

unknown_kid accessing sandbox

Nicolas NierenbergJul 19 2025

I realize I should have posted this here.

We get a token using.

curl -X POST \
'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/hosts/fhir-ehr.sandboxcerner.com/protocols/oauth2/profiles/smart-v1/token' \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H ‘Authorization: Basic <encoded client id/secret> 'grant_type=client_credentials&scope=system/Patient.read&aud=https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d'

This returns an access token as expected. But when using the token

curl -H "Authorization: Bearer <access_token>" \
'https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/Patient?family=Smart'

We get

{
"code": 401,
"message": "code=\"urn:cerner:error:oauth2:resource-access:signature-verification-failed\", error=\"invalid_token\", subcode=\"unknown_kid\", kid=\"2025-07-18T02:10:26.541.ec.es256\""
}

The sandbox rejects this type of EC-signed token and apparently requires RS256 RSA signed tokens.

It appears there is some issue on the back end, but I'm open to suggestions.

This post has been answered by Kol Kheang-Oracle on Jul 21 2025

Jump to Answer

Added on Jul 19 2025

#authorization

6 comments

85 views

2 mentions