Failed - Invalid Client

Akashchellakumar_C · May 11, 2023, 7:49am

Hi,
I have reviewed the OpenEMR - OpenEMR FHIR Lecture Series: Lecture 2 - FHIR Bulk Data in OpenEMR available on YouTube.

By following the steps,

Step 1 : I have to register a client using the below request,

{
    "application_type": "private",
    "redirect_uris": [
        "https://localhost:9300/swagger/oauth2-redirect.html"
    ],
    "client_name": "Demo Client",
    "token_endpoint_auth_method": "client_secret_post",
    "contacts": [
        "demo@email.com"
    ],
    "scope": "openid offline_access api:oemr api:fhir api:port user/allergy.read user/allergy.write user/appointment.read user/appointment.write user/dental_issue.read user/dental_issue.write user/document.read user/document.write user/drug.read user/encounter.read user/encounter.write user/facility.read user/facility.write user/immunization.read user/insurance.read user/insurance.write user/insurance_company.read user/insurance_company.write user/insurance_type.read user/list.read user/medical_problem.read user/medical_problem.write user/medication.read user/medication.write user/message.write user/patient.read user/patient.write user/practitioner.read user/practitioner.write user/prescription.read user/procedure.read user/soap_note.read user/soap_note.write user/surgery.read user/surgery.write user/transaction.read user/transaction.write user/vital.read user/vital.write user/AllergyIntolerance.read user/CareTeam.read user/Condition.read user/Coverage.read user/Encounter.read user/Immunization.read user/Location.read user/Medication.read user/MedicationRequest.read user/Observation.read user/Organization.read user/Organization.write user/Patient.read user/Patient.write user/Practitioner.read user/Practitioner.write user/PractitionerRole.read user/Procedure.read patient/encounter.read patient/patient.read patient/AllergyIntolerance.read patient/CareTeam.read patient/Condition.read patient/Coverage.read patient/Encounter.read patient/Immunization.read patient/MedicationRequest.read patient/Observation.read patient/Patient.read patient/Procedure.read system/*.$export system/Group.$export system/*.$bulkdata-status system/Patient.$export",
    "jwks": {
        "keys": [
            {
                "kty": "RSA",
                "alg": "RS384",
                "n": "06xjYheTZNmHpLk00Aeg0luveX6SoUbOHjbLYEYTWeYb9BrA5p1dBCb7WL7dJivtCxdg6jED5a95tGF-ZwSmsWZo2IFJrFJB_RMCk1QFnk7Gy1A4LBYc4MU33PgchmV55_x3XQBfU1haw9Z-5bHRpUPCOtnXncQAg_aqrPFuhVU4sN7Ns2sF2ZlA7UkYIJiX0w0s_bLO8Hx3z4ho4O1rOAkg1Ikneprvcm94uO_u1qUTvLzzKSvHE_OetoRzzjr_WPO_YLPtigtByRMLsoS0gRSrheDoAowSK7VIvab6yoT5p58fvb7D_mQt9FGiExjJ1p3EmdzSLNbI4OJKHbXAAw",
                "e": "AQAB",
                "key_ops": [
                    "verify"
                ],
                "ext": true,
                "kid": "d2bd8bb3aba788178a3ecea0bb23ee52"
            }
        ]
    }
}

and I got the response,

{"client_id":"ol2oQjmG2n318hO8JIXZxNxtdGNa5KGjc9mplPMONg8","client_secret":"hkhX9EfgataMSPoT-xZezo5vaANyF7P0tt6Iv0vbDHdaoZNhC0PhgTQALpPh0GurelRK_mWsLc41UvigI6C2pw","registration_access_token":"fVEBqyI1I79NyRJ8HnGmoIMbeMEIfvSQYYcLuAU8dXo","registration_client_uri":"https:\/\/localhost:9300\/oauth2\/default\/client\/cF9C8PbhO7Ai16Je6ucgLg","client_id_issued_at":1683787478,"client_secret_expires_at":0,"client_role":"user","contacts":["akash@breezeware.net"],"application_type":"private","client_name":"Demo Client","redirect_uris":["https:\/\/localhost:9300\/swagger\/oauth2-redirect.html"],"token_endpoint_auth_method":"client_secret_post","jwks":{"keys":[{"kty":"RSA","alg":"RS384","n":"06xjYheTZNmHpLk00Aeg0luveX6SoUbOHjbLYEYTWeYb9BrA5p1dBCb7WL7dJivtCxdg6jED5a95tGF-ZwSmsWZo2IFJrFJB_RMCk1QFnk7Gy1A4LBYc4MU33PgchmV55_x3XQBfU1haw9Z-5bHRpUPCOtnXncQAg_aqrPFuhVU4sN7Ns2sF2ZlA7UkYIJiX0w0s_bLO8Hx3z4ho4O1rOAkg1Ikneprvcm94uO_u1qUTvLzzKSvHE_OetoRzzjr_WPO_YLPtigtByRMLsoS0gRSrheDoAowSK7VIvab6yoT5p58fvb7D_mQt9FGiExjJ1p3EmdzSLNbI4OJKHbXAAw","e":"AQAB","key_ops":["verify"],"ext":true,"kid":"d2bd8bb3aba788178a3ecea0bb23ee52"}]},"scope":"openid offline_access api:oemr api:fhir api:port user\/allergy.read user\/allergy.write user\/appointment.read user\/appointment.write user\/dental_issue.read user\/dental_issue.write user\/document.read user\/document.write user\/drug.read user\/encounter.read user\/encounter.write user\/facility.read user\/facility.write user\/immunization.read user\/insurance.read user\/insurance.write user\/insurance_company.read user\/insurance_company.write user\/insurance_type.read user\/list.read user\/medical_problem.read user\/medical_problem.write user\/medication.read user\/medication.write user\/message.write user\/patient.read user\/patient.write user\/practitioner.read user\/practitioner.write user\/prescription.read user\/procedure.read user\/soap_note.read user\/soap_note.write user\/surgery.read user\/surgery.write user\/transaction.read user\/transaction.write user\/vital.read user\/vital.write user\/AllergyIntolerance.read user\/CareTeam.read user\/Condition.read user\/Coverage.read user\/Encounter.read user\/Immunization.read user\/Location.read user\/Medication.read user\/MedicationRequest.read user\/Observation.read user\/Organization.read user\/Organization.write user\/Patient.read user\/Patient.write user\/Practitioner.read user\/Practitioner.write user\/PractitionerRole.read user\/Procedure.read patient\/encounter.read patient\/patient.read patient\/AllergyIntolerance.read patient\/CareTeam.read patient\/Condition.read patient\/Coverage.read patient\/Encounter.read patient\/Immunization.read patient\/MedicationRequest.read patient\/Observation.read patient\/Patient.read patient\/Procedure.read system\/*.$export system\/Group.$export system\/*.$bulkdata-status system\/Patient.$export"}

Step 2 : Have created a client assertion using the below request,

./bin/command-runner -c CreateClientCredentialsAssertion -i ol2oQjmG2n318hO8JIXZxNxtdGNa5KGjc9mplPMONg8 -a https://localhost:9300/oauth2/default/token

and I got the response,

Executing command 'CreateClientCredentialsAssertion'
Generated Client Credentials Assertion
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJvbDJvUWptRzJuMzE4aE84SklYWnhOeHRkR05hNUtHamM5bXBsUE1PTmc4IiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTMwMC9vYXV0aDIvZGVmYXVsdC90b2tlbiIsImp0aSI6IjA5MWZmMzVhLTE0YTUtNDM0Ni1hMTdhLWY4NDQ1YzBhZWJlMSIsImlhdCI6MTY4Mzc4ODQwMi4zOTQ0MDQsIm5iZiI6MTY4Mzc4ODQwMi4zOTQ0MDQsImV4cCI6MTY4Mzc4ODQ2Mi4zOTQ0MDQsInN1YiI6Im9sMm9Ram1HMm4zMThoTzhKSVhaeE54dGRHTmE1S0dqYzltcGxQTU9OZzgifQ.w4kJDjesc5C5sMDubp_VThFyhR74ChUdiDsxSRmdhFNoFtfXmsOumqyRN8_qB-wWrYjNiNIRfp91Vc4pt7KmBjRwm3F8KSY1Mq0jxoImUXv1Um0VDEJkJFi0n2LU9M8jkHG-PUqhLRBnx28BzZYJPZDgymNFq5c1qGJ71CVeXm3OnAjbMAIjpetaeoBCaZ8ovwCaWFdL9VIEmkLBei9wikQFUict9Bq4pmuo4nYak-5niMXZwJ3KEfAVrYkKwQdvKNYsU4esSWCTdYq20T0YcoQYjsOUInTKLNfsslundYSVaGPX0SZrgYWLe1bKUMIt31ySJvKWgP7lwm7RTCaGZ3C8S60R4clMX2VOWlr6tBaN9Zlcn_KY8bAAz0mRH36kcr1NHl2MhHnBqVlBMoqn00VRY7_OYwefPnHkF7NOsMZj4iYdJBH213WUe_BQytkkXTbNv9cLIQBoZc9t254TI9QLtKmQrR20zp_gX5MwZqg17Bke_4wpe59Q1BT9ygc9_3KnQ42TlOeYjDfgXwsJLI2CupfAzjlZSOJ-yxzJVskx403Mit9Pp2wEK4xNjEIXZajcqaSIRMw2kJ7s5UdBLWYUrAAPfkHcvUGkP6DAzop1s8-OA4OBm7jQskfTpbD8fzu0vAmGHi6rIGAZxv56CnLN4VgCn5yCcrej_Jn88cA


Sample CURL request using assertion: 
--> curl -k -X POST --data-urlencode "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
  --data-urlencode "client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJvbDJvUWptRzJuMzE4aE84SklYWnhOeHRkR05hNUtHamM5bXBsUE1PTmc4IiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTMwMC9vYXV0aDIvZGVmYXVsdC90b2tlbiIsImp0aSI6IjA5MWZmMzVhLTE0YTUtNDM0Ni1hMTdhLWY4NDQ1YzBhZWJlMSIsImlhdCI6MTY4Mzc4ODQwMi4zOTQ0MDQsIm5iZiI6MTY4Mzc4ODQwMi4zOTQ0MDQsImV4cCI6MTY4Mzc4ODQ2Mi4zOTQ0MDQsInN1YiI6Im9sMm9Ram1HMm4zMThoTzhKSVhaeE54dGRHTmE1S0dqYzltcGxQTU9OZzgifQ.w4kJDjesc5C5sMDubp_VThFyhR74ChUdiDsxSRmdhFNoFtfXmsOumqyRN8_qB-wWrYjNiNIRfp91Vc4pt7KmBjRwm3F8KSY1Mq0jxoImUXv1Um0VDEJkJFi0n2LU9M8jkHG-PUqhLRBnx28BzZYJPZDgymNFq5c1qGJ71CVeXm3OnAjbMAIjpetaeoBCaZ8ovwCaWFdL9VIEmkLBei9wikQFUict9Bq4pmuo4nYak-5niMXZwJ3KEfAVrYkKwQdvKNYsU4esSWCTdYq20T0YcoQYjsOUInTKLNfsslundYSVaGPX0SZrgYWLe1bKUMIt31ySJvKWgP7lwm7RTCaGZ3C8S60R4clMX2VOWlr6tBaN9Zlcn_KY8bAAz0mRH36kcr1NHl2MhHnBqVlBMoqn00VRY7_OYwefPnHkF7NOsMZj4iYdJBH213WUe_BQytkkXTbNv9cLIQBoZc9t254TI9QLtKmQrR20zp_gX5MwZqg17Bke_4wpe59Q1BT9ygc9_3KnQ42TlOeYjDfgXwsJLI2CupfAzjlZSOJ-yxzJVskx403Mit9Pp2wEK4xNjEIXZajcqaSIRMw2kJ7s5UdBLWYUrAAPfkHcvUGkP6DAzop1s8-OA4OBm7jQskfTpbD8fzu0vAmGHi6rIGAZxv56CnLN4VgCn5yCcrej_Jn88cA" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "scope=system/*.\$export system/*.\$bulkdata-status system/Group.\$export system/Patient.\$export system/Encounter.read system/Binary.read" https://localhost:9300/oauth2/default/token

Step 3 : Tried the CURL request and got the response,

{
    "error": "invalid_client",
    "error_description": "Client authentication failed",
    "message": "Client authentication failed"
}

Can anyone please help me find the solution?

adunsulag · May 11, 2023, 5:55pm

Have you made sure that you enabled your client in the admin GUI tools. Confidential clients must be manually enabled by a provider in order to work.

Akashchellakumar_C · May 12, 2023, 6:14am

Hi Stephen,
I have already enabled the Confidential clients.

gabriel_correa · February 26, 2024, 3:40pm

Hello, were you able to fix the error?