401 : "Client authentication failed" when using JWT signed token

pedro_salazar · January 29, 2025, 1:06pm

Hello!

I’m almost new with openEMR. I have a docker instance running and I want to test SMART on FHIR (machine 2 machine) connection through openEMR

I’ve been able to test Swagger and also the API through Postman with oAuth2 (I read this post “trouble-authenticating-a-client-for-fhir-api-access/20737/23” and it helped me with the “postman state field null issue”)

So, I have tested Swagger and Postman and they work fine. Now, I want to replicate SMARTonFHIR workflows for backend services:

Backend Services - SMART App Launch v2.2.0

And I get this response when requesting the token:
POST https://{my_instance}/oauth2/default/token
{
“error”: “invalid_client”,
“error_description”: “Client authentication failed”,
“message”: “Client authentication failed”
}

I’m sending these parameters:

grant_type:client_credentials
scope:system/Patient.read
client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion:eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IjUxZWQ4MGVkLTNhZjItNGFiZi1iNWNjLTkzZTY5NjQ1YjY2ZCJ9.eyJpc3MiOiIycU9xVzRSNWE4cjl0N0VsTWhVMGQycEtEcG1VT3JZcllXd2VkeHFGYmZvIiwic3ViIjoiMnFPcVc0UjVhOHI5dDdFbE1oVTBkMnBLRHBtVU9yWXJZV3dlZHhxRmJmbyIsImF1ZCI6Imh0dHBzOi8vbXlJUC9vYXV0aDIvZGVmYXVsdC90b2tlbiIsImV4cCI6MTY4MDAwMDAwMCwiaWF0IjoxNjc5OTkwMDAwLCJqdGkiOiJhYmMxMjMzNDM0MjMyMyJ9.M8x9pDlislDvlQg7soi9iLJAoVfrKrR1n-uY1y6Cj85yE0YVEmrCx_cVCprNNXhCdZTugRlDs7xKAu71gSpZSIRIbFozn3mA5fR4mslL6shGcYWyiaZ04GNHusS1sh4fa-jzjnr1833IYdLYXmLwKOPk78JJQMM–QKsiWFThgNyCB0yiFvBiiv8nesSq0AlL1o2ubxJD7OBtsnqLBezuGt51NINcMmYM—oGTQLR18LcNTBFjlE0GQxX1tAqrqKmGc-2bgmLdN0ZjKxg_7jgufXtnsXqKdu7m3wuKH4waSJmVBvqTR05flXmGaYIIjhd1-V93Nx0UFIHvCvVq6lA

the kid header matches with my jwks kid value
the sub and the iss claims are my client_id
the aud is my URL (for security reasons, my ip is not in this example)

the JWT has been signed using jwt.io (just for testing purposes), with the public an private key used together my JWKS, and the API Client has an URI with that JWKS running fine. I’ve been follow all the septs and I have the JWT with the headers and the claims according to SMARTonFHIR specs.

Even I can see that openEMR is calling my JWKS URI, which is replying with 200 OK

I have explored the logs by:
tail -f /var/log/apache2/error.log
tail -f /var/log/apache2/access.log

but the logs are not enough, but I don’t know how to change log level to see more.

Can anyone help me please?

Thank you so much
Pedro.

pedro_salazar · January 29, 2025, 5:42pm

Finally solved here: Use FHIR in open EMR V7 - OpenEMR Development - OpenEMR Community

Thank you any case

adunsulag · January 30, 2025, 2:24am

Glad you got it worked out, not sure if the issue was you were working off SMART on FHIR 2.2 when we only support v1.0. Our plan is to update to SMART on FHIR 2.2 this year.

pedro_salazar · January 30, 2025, 1:14pm

Hi Stephen.

Actually, I was able to replicate the flow for backend services in SMART on FHIR v2.2, in openEMR (perhaps, it has not changed so much from v1)

My issue was related to the jwks, but I was able to solve by using the tool that @Mandrake shared in the post that I mentioned in my comment ( mkjwk - JSON Web Key Generator)

Thank you so much!