@cw.efiia You need to use Basic HTTP authorization to send your client_id as the username and client_secret as the password.
What version of OpenEMR are you using? master has a lot more debugging information than 6.0.0.
If you’re not familiar with this header you concatenate your credentials like so base64_encode(client_id . ‘:’ . client_secret); Here is a sample POST request in insomnia which I use for my test client. I removed the hostname, ip address, and cookie information as its a private server.
* Preparing request to https://*************/oauth2/default/token
* Current time is 2021-10-18T20:44:24.386Z
* Using libcurl/7.73.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 zstd/1.4.9 libidn2/2.2.0 libssh2/1.9.0 nghttp2/1.41.0
* Using default HTTP version
* Disable timeout
* Enable automatic URL encoding
* Disable SSL validation
* Enable cookie sending with jar of 29 cookies
* Found bundle for host *************: ************* [can multiplex]
* Re-using existing connection! (#2) with host *************
* Connected to ************* (*************) port 443 (#2)
* Using Stream ID: 9 (easy handle *************)
> POST /oauth2/default/token HTTP/2
> Host: *************
> user-agent: insomnia/2021.2.2
> cookie: authserverOpenEMR=*************
> content-type: application/x-www-form-urlencoded
> authorization: Basic eWk0bW5tVmFkcG5xbkppT2lna2NHc2h1Ry1LYXlpcTZrbUxxQ0pzWXJrNDpvVHdhQ2k4Q2xib0x3XzdpTjd0SVpyd0diRnprbDNPSHFuUlhuclRJQXZxM0g2RDZJNjR3TTd6WlFuWlZlZHVLcnB3NWs4VlVmSGJIc0F3YUpkVW1Hdw==
> accept: */*
> content-length: 2120
| grant_type=authorization_code&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback&code=def5020003c455bd5727e9f6caf8563acebe4cc09adb3c5b7e7ff4d147920ed39b28cc881329c5d9ad07042fb738b874a2108a94c5abdd86e4821b54b0b9f22bbd699332ca97b0e4d6b3cef77cd8d9c11a036dae83414f6aa841a4894f2cfafff73dcb7be5076b7417dce148f84f5c362875a8f56f782c3c80ec68e594503b477c5477274c4f63d8ced9af869511a5c35e6c75ef05dec6375ab4548f3a0ca44362c98f465aefac9712b3baaf215f4cc3bf998e489dbeb9e2eed04541e1a8c8b2a81ab621e610eee21da8b118ac2a4e50802033f9961c438a9680555f6b6df566775e05042699b608afa8c9f30227c37398eb6d24fb7904ec0c3fb2e5bf77eee4bed877c364efae1ea333059888eb36d9ca15ce7a53f02800bd95998ff91c292ca9dd3c12394545832a0c2807fee524114eb7a4e1f41b9407073aa8e8825ee18f62d36ec7a123cb708a76842c92a574bffba7f0dd247ff6a645268e661754665df75fe2af99a4a94faa8e51fa16c1a693855d747e017faac32d98bd21e99a3136f635041924719dda2ad61b427b70d93c6ef909537293029c3ee36f3a31cd943e2ab95c892a1383b44d23793a4b9d3d443d50d9f8713f5eb05c4be1bdb025d1b44fb9e2897a5182280693092774a175cce54bc356b081cabae12aff449e7b72a46cff895216344021f6681ed5cf5f0100fd5a04dce7c4efee4e683024befb5d25c17d7106109b24e3168bc64d9fc250a4e483114fe2da4d5755b8d73cdd15ace2c290ceff25c8609723777cdd36918a3d005b66d7b3d7ce3c77292743c3bb08693152f91d9ffdcc731d99179fc0cba8bd6fee53e03576692817db99027bbd5be7dd23b1ad3e65ef73e90e1a01d156e9d264dcbfc7d26d6357d16f4a79fdcb3878680d6c23937502359d24187caa32eb466a5e26cbe8833da410916e6518f85a5a3f064a7c0cbe66ba7a09bab62164d5ae6e88d172cc353156a0773339e1514d20c47d0a698c19b309e2595103ad2abfa84b7adc2d7e022bee91c19bacc34d15332a279c8166c5a4049b7183114ed0bb90acd5371020a86fe54afe12f8a82f6b3df86028121a08a32b001d33a379fc186998043ab4572daecfa657672506a4978000565da7dd6ec49b864c6d3025d739e0289a5e7fd861c79d5c5533b49a6397c4142d25b61bbbad38a0207fb4ea983f5752aad81edcb4aaee63647c155a3b77528955b872236b2c4c9be785114f86af675842d8b066c236806d92dab2daaf69d0a124fa20ce1a163ed8f1984b4646a55ad2e3baf77dfe6202bef8bc8e49b5e9733b4e31b76e95f2bf8757b95106158042f647683e54c9f48d1a37d571950f5227e8103baf6c059b23afe55fc4f8ca22de83d326c32c87a85d59ec032fd7a38456e4bbde711188e002da0476d3c43ce726fdf456b7351b
You don’t need scopes as they are encrypted in the code parameter. State doesn’t apply here either.