i'm trying to authenticate a SMART app with user scopes. i'm familiar with system account access most recently, without SMART, so i'm missing something fundamental here.
the app is registered and i have a client id, but i have no "secret"
- i'm using the registered client id in a FHIR.oauth2.authorize call (on fhir-open.sandboxcerner.com) but getting 403 forbidden response, and
- i'm trying from postman with the same 403 response
- i'm trying from a non-SMART test harness and getting an invalid_client, presumably because i'm supplying a accountId (the client id) but no secret
(using the test tenant r4 route, r4/ec2458f2-1e24-41c8-b71b-0e701af7583d)
questions:
user or provider scope does not require a secret in the credentials? since .authorize doesn't have a parameter for it
how long is the registration delay before the client is recognized?
what else might be failing here?