First day playing around with openEMR, so please excuse my ignorance. I’ve got the containerized instance running (following this).
I can also register a client using the first cURL command here. However, by default it seems that new clients are disabled.
Is there a way to enable the client when initially registering it? If not, is there a way to programmatically enable a client?
I can do it through the UI, but my goal is to get an instance configured without manual intervention.
Hello @Chad_Mowbray welcome to the OpenEMR community, and to the forum!
I know that individual preferences can vary a lot re: how people want their EMR to work. But my understanding of the rationale for making auto registration require human intervention is that it is a security measure. Most practices probably would not want to expose their EMRs to robo- registration since, among other things, it could fill up the database with new pt records and destabilize the server before any human was even aware of a problem. And the size of the penalty for improperly handled PII tends to be a deterrent for most folks from allowing that to happen.
Certainly, if you really wanted it to work that way I’m sure you could make it so. But I would recommend you review the HIPAA security requirements for EMR servers before you put real- life PII on them.
Best- Harley
You can have a confidential client auto-enabled if you only request patient/* scopes in your app. From the documentation:
3rd party Apps using the confidential app profile are auto enabled if they are strictly a patient standalone app. A patient standalone app is one that only requests patient only scopes such as patient/. A provider or system app (requesting permissions such as launch, user/, system/*, etc) must be authorized by the OpenEMR Server Installation Administrator. Access Tokens issued to 3rd party apps are only valid for one hour and must be renewed with a refresh token which is valid for up to three months. Refresh tokens are only issued if the offline_access scope is authorized by the OpenEMR user authenticating with OpenEMR through their 3rd party app.
openemr/FHIR_README.md at master · openemr/openemr · GitHub
If you want to programatically enable a client, build a module that does the registration of your client and auto-enables it when the module is installed / enabled. You can also expose your own API endpoint in the module to do the auto-enabling but I don’t encourage it.
At some point we may implement something like the UDAP dynamic client registration system to support a more secure mechanism for auto-registering clients but its not anywhere on the roadmap unless someone is interested in funding it to be built.
The danger of auto-registering confidential apps is that they can access ANY patient data that the provider/admin user’s ACL supports which is a security risk and they can MODIFY any data that their user ACL can support. Patient standalone applications don’t have the same security threat surface as they are limited to a single patient.
Hi @adunsulag Thanks for refining my simplistic concept of the phenomenon!
Best- Harley
Thanks @htuck and @adunsulag . My intent is just to spin up a development environment, so I’ll look into creating a module.
Hi Stephen,
My app developer tried to register new patients using the API and he said that even new patient needs the admin to enable the API client manually.
I created a new topic to get help on this problem.
Can a standalone patient app work with just one AP client, so that the admin does not need to manually enable each patient every time a new registration happens?