Failed - Invalid Client

Akashchellakumar_C · May 11, 2023, 7:49am

Hi,
I have reviewed the OpenEMR - OpenEMR FHIR Lecture Series: Lecture 2 - FHIR Bulk Data in OpenEMR available on YouTube.

By following the steps,

Step 1 : I have to register a client using the below request,

{
    "application_type": "private",
    "redirect_uris": [
        "https://localhost:9300/swagger/oauth2-redirect.html"
    ],
    "client_name": "Demo Client",
    "token_endpoint_auth_method": "client_secret_post",
    "contacts": [
        "demo@email.com"
    ],
    "scope": "openid offline_access api:oemr api:fhir api:port user/allergy.read user/allergy.write user/appointment.read user/appointment.write user/dental_issue.read user/dental_issue.write user/document.read user/document.write user/drug.read user/encounter.read user/encounter.write user/facility.read user/facility.write user/immunization.read user/insurance.read user/insurance.write user/insurance_company.read user/insurance_company.write user/insurance_type.read user/list.read user/medical_problem.read user/medical_problem.write user/medication.read user/medication.write user/message.write user/patient.read user/patient.write user/practitioner.read user/practitioner.write user/prescription.read user/procedure.read user/soap_note.read user/soap_note.write user/surgery.read user/surgery.write user/transaction.read user/transaction.write user/vital.read user/vital.write user/AllergyIntolerance.read user/CareTeam.read user/Condition.read user/Coverage.read user/Encounter.read user/Immunization.read user/Location.read user/Medication.read user/MedicationRequest.read user/Observation.read user/Organization.read user/Organization.write user/Patient.read user/Patient.write user/Practitioner.read user/Practitioner.write user/PractitionerRole.read user/Procedure.read patient/encounter.read patient/patient.read patient/AllergyIntolerance.read patient/CareTeam.read patient/Condition.read patient/Coverage.read patient/Encounter.read patient/Immunization.read patient/MedicationRequest.read patient/Observation.read patient/Patient.read patient/Procedure.read system/*.$export system/Group.$export system/*.$bulkdata-status system/Patient.$export",
    "jwks": {
        "keys": [
            {
                "kty": "RSA",
                "alg": "RS384",
                "n": "06xjYheTZNmHpLk00Aeg0luveX6SoUbOHjbLYEYTWeYb9BrA5p1dBCb7WL7dJivtCxdg6jED5a95tGF-ZwSmsWZo2IFJrFJB_RMCk1QFnk7Gy1A4LBYc4MU33PgchmV55_x3XQBfU1haw9Z-5bHRpUPCOtnXncQAg_aqrPFuhVU4sN7Ns2sF2ZlA7UkYIJiX0w0s_bLO8Hx3z4ho4O1rOAkg1Ikneprvcm94uO_u1qUTvLzzKSvHE_OetoRzzjr_WPO_YLPtigtByRMLsoS0gRSrheDoAowSK7VIvab6yoT5p58fvb7D_mQt9FGiExjJ1p3EmdzSLNbI4OJKHbXAAw",
                "e": "AQAB",
                "key_ops": [
                    "verify"
                ],
                "ext": true,
                "kid": "d2bd8bb3aba788178a3ecea0bb23ee52"
            }
        ]
    }
}

and I got the response,

{"client_id":"ol2oQjmG2n318hO8JIXZxNxtdGNa5KGjc9mplPMONg8","client_secret":"hkhX9EfgataMSPoT-xZezo5vaANyF7P0tt6Iv0vbDHdaoZNhC0PhgTQALpPh0GurelRK_mWsLc41UvigI6C2pw","registration_access_token":"fVEBqyI1I79NyRJ8HnGmoIMbeMEIfvSQYYcLuAU8dXo","registration_client_uri":"https:\/\/localhost:9300\/oauth2\/default\/client\/cF9C8PbhO7Ai16Je6ucgLg","client_id_issued_at":1683787478,"client_secret_expires_at":0,"client_role":"user","contacts":["akash@breezeware.net"],"application_type":"private","client_name":"Demo Client","redirect_uris":["https:\/\/localhost:9300\/swagger\/oauth2-redirect.html"],"token_endpoint_auth_method":"client_secret_post","jwks":{"keys":[{"kty":"RSA","alg":"RS384","n":"06xjYheTZNmHpLk00Aeg0luveX6SoUbOHjbLYEYTWeYb9BrA5p1dBCb7WL7dJivtCxdg6jED5a95tGF-ZwSmsWZo2IFJrFJB_RMCk1QFnk7Gy1A4LBYc4MU33PgchmV55_x3XQBfU1haw9Z-5bHRpUPCOtnXncQAg_aqrPFuhVU4sN7Ns2sF2ZlA7UkYIJiX0w0s_bLO8Hx3z4ho4O1rOAkg1Ikneprvcm94uO_u1qUTvLzzKSvHE_OetoRzzjr_WPO_YLPtigtByRMLsoS0gRSrheDoAowSK7VIvab6yoT5p58fvb7D_mQt9FGiExjJ1p3EmdzSLNbI4OJKHbXAAw","e":"AQAB","key_ops":["verify"],"ext":true,"kid":"d2bd8bb3aba788178a3ecea0bb23ee52"}]},"scope":"openid offline_access api:oemr api:fhir api:port user\/allergy.read user\/allergy.write user\/appointment.read user\/appointment.write user\/dental_issue.read user\/dental_issue.write user\/document.read user\/document.write user\/drug.read user\/encounter.read user\/encounter.write user\/facility.read user\/facility.write user\/immunization.read user\/insurance.read user\/insurance.write user\/insurance_company.read user\/insurance_company.write user\/insurance_type.read user\/list.read user\/medical_problem.read user\/medical_problem.write user\/medication.read user\/medication.write user\/message.write user\/patient.read user\/patient.write user\/practitioner.read user\/practitioner.write user\/prescription.read user\/procedure.read user\/soap_note.read user\/soap_note.write user\/surgery.read user\/surgery.write user\/transaction.read user\/transaction.write user\/vital.read user\/vital.write user\/AllergyIntolerance.read user\/CareTeam.read user\/Condition.read user\/Coverage.read user\/Encounter.read user\/Immunization.read user\/Location.read user\/Medication.read user\/MedicationRequest.read user\/Observation.read user\/Organization.read user\/Organization.write user\/Patient.read user\/Patient.write user\/Practitioner.read user\/Practitioner.write user\/PractitionerRole.read user\/Procedure.read patient\/encounter.read patient\/patient.read patient\/AllergyIntolerance.read patient\/CareTeam.read patient\/Condition.read patient\/Coverage.read patient\/Encounter.read patient\/Immunization.read patient\/MedicationRequest.read patient\/Observation.read patient\/Patient.read patient\/Procedure.read system\/*.$export system\/Group.$export system\/*.$bulkdata-status system\/Patient.$export"}

Step 2 : Have created a client assertion using the below request,

./bin/command-runner -c CreateClientCredentialsAssertion -i ol2oQjmG2n318hO8JIXZxNxtdGNa5KGjc9mplPMONg8 -a https://localhost:9300/oauth2/default/token

and I got the response,

Executing command 'CreateClientCredentialsAssertion'
Generated Client Credentials Assertion
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJvbDJvUWptRzJuMzE4aE84SklYWnhOeHRkR05hNUtHamM5bXBsUE1PTmc4IiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTMwMC9vYXV0aDIvZGVmYXVsdC90b2tlbiIsImp0aSI6IjA5MWZmMzVhLTE0YTUtNDM0Ni1hMTdhLWY4NDQ1YzBhZWJlMSIsImlhdCI6MTY4Mzc4ODQwMi4zOTQ0MDQsIm5iZiI6MTY4Mzc4ODQwMi4zOTQ0MDQsImV4cCI6MTY4Mzc4ODQ2Mi4zOTQ0MDQsInN1YiI6Im9sMm9Ram1HMm4zMThoTzhKSVhaeE54dGRHTmE1S0dqYzltcGxQTU9OZzgifQ.w4kJDjesc5C5sMDubp_VThFyhR74ChUdiDsxSRmdhFNoFtfXmsOumqyRN8_qB-wWrYjNiNIRfp91Vc4pt7KmBjRwm3F8KSY1Mq0jxoImUXv1Um0VDEJkJFi0n2LU9M8jkHG-PUqhLRBnx28BzZYJPZDgymNFq5c1qGJ71CVeXm3OnAjbMAIjpetaeoBCaZ8ovwCaWFdL9VIEmkLBei9wikQFUict9Bq4pmuo4nYak-5niMXZwJ3KEfAVrYkKwQdvKNYsU4esSWCTdYq20T0YcoQYjsOUInTKLNfsslundYSVaGPX0SZrgYWLe1bKUMIt31ySJvKWgP7lwm7RTCaGZ3C8S60R4clMX2VOWlr6tBaN9Zlcn_KY8bAAz0mRH36kcr1NHl2MhHnBqVlBMoqn00VRY7_OYwefPnHkF7NOsMZj4iYdJBH213WUe_BQytkkXTbNv9cLIQBoZc9t254TI9QLtKmQrR20zp_gX5MwZqg17Bke_4wpe59Q1BT9ygc9_3KnQ42TlOeYjDfgXwsJLI2CupfAzjlZSOJ-yxzJVskx403Mit9Pp2wEK4xNjEIXZajcqaSIRMw2kJ7s5UdBLWYUrAAPfkHcvUGkP6DAzop1s8-OA4OBm7jQskfTpbD8fzu0vAmGHi6rIGAZxv56CnLN4VgCn5yCcrej_Jn88cA


Sample CURL request using assertion: 
--> curl -k -X POST --data-urlencode "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
  --data-urlencode "client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJvbDJvUWptRzJuMzE4aE84SklYWnhOeHRkR05hNUtHamM5bXBsUE1PTmc4IiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTMwMC9vYXV0aDIvZGVmYXVsdC90b2tlbiIsImp0aSI6IjA5MWZmMzVhLTE0YTUtNDM0Ni1hMTdhLWY4NDQ1YzBhZWJlMSIsImlhdCI6MTY4Mzc4ODQwMi4zOTQ0MDQsIm5iZiI6MTY4Mzc4ODQwMi4zOTQ0MDQsImV4cCI6MTY4Mzc4ODQ2Mi4zOTQ0MDQsInN1YiI6Im9sMm9Ram1HMm4zMThoTzhKSVhaeE54dGRHTmE1S0dqYzltcGxQTU9OZzgifQ.w4kJDjesc5C5sMDubp_VThFyhR74ChUdiDsxSRmdhFNoFtfXmsOumqyRN8_qB-wWrYjNiNIRfp91Vc4pt7KmBjRwm3F8KSY1Mq0jxoImUXv1Um0VDEJkJFi0n2LU9M8jkHG-PUqhLRBnx28BzZYJPZDgymNFq5c1qGJ71CVeXm3OnAjbMAIjpetaeoBCaZ8ovwCaWFdL9VIEmkLBei9wikQFUict9Bq4pmuo4nYak-5niMXZwJ3KEfAVrYkKwQdvKNYsU4esSWCTdYq20T0YcoQYjsOUInTKLNfsslundYSVaGPX0SZrgYWLe1bKUMIt31ySJvKWgP7lwm7RTCaGZ3C8S60R4clMX2VOWlr6tBaN9Zlcn_KY8bAAz0mRH36kcr1NHl2MhHnBqVlBMoqn00VRY7_OYwefPnHkF7NOsMZj4iYdJBH213WUe_BQytkkXTbNv9cLIQBoZc9t254TI9QLtKmQrR20zp_gX5MwZqg17Bke_4wpe59Q1BT9ygc9_3KnQ42TlOeYjDfgXwsJLI2CupfAzjlZSOJ-yxzJVskx403Mit9Pp2wEK4xNjEIXZajcqaSIRMw2kJ7s5UdBLWYUrAAPfkHcvUGkP6DAzop1s8-OA4OBm7jQskfTpbD8fzu0vAmGHi6rIGAZxv56CnLN4VgCn5yCcrej_Jn88cA" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "scope=system/*.\$export system/*.\$bulkdata-status system/Group.\$export system/Patient.\$export system/Encounter.read system/Binary.read" https://localhost:9300/oauth2/default/token

Step 3 : Tried the CURL request and got the response,

{
    "error": "invalid_client",
    "error_description": "Client authentication failed",
    "message": "Client authentication failed"
}

Can anyone please help me find the solution?

adunsulag · May 11, 2023, 5:55pm

Have you made sure that you enabled your client in the admin GUI tools. Confidential clients must be manually enabled by a provider in order to work.

Akashchellakumar_C · May 12, 2023, 6:14am

Hi Stephen,
I have already enabled the Confidential clients.

gabriel_correa · February 26, 2024, 3:40pm

Hello, were you able to fix the error?

quenlynn · May 1, 2024, 6:55pm

Did you ever get a response to this? It seems like it is a persisting problem even with the demos versions.

adunsulag · May 1, 2024, 9:26pm

Turn on the system debug logs and look at the error messages. People continue to have ‘persistent’ problems because they don’t have things setup correctly. If there truly is a bug, we can’t know it without people turning on the logs and giving us details into what is going on. Invariably they’ve setup the FHIR url incorrectly, the audience parameter in the credentials grant incorrectly etc. If we have more details and there is an actual bug we can work on it.