Fhir auth public and private keys

OpenEMR Development
#1

Hello!
I just downloaded the latest openemr and xampp. Everything is setup and done.

I done want to use ssl if I dont have to.

From postman => http://localhost/openemr/apis/default/api/auth

Error:
Fatal error: Uncaught LogicException: Key path
"file://C:/xampp/htdocs/openemr/sites/default/documents/certificates/oapublic.key" does not exist or is not
readable in C:\xampp\htdocs\openemr\vendor\league\oauth2-server\src\CryptKey.php:52

I have tried this as well
http://localhost/openemr/apis/api/auth
Same thing but the path is to C:/xampp/htdocs/openemr/sites/api/documents/certificates/oapublic.key

Do I have to create oapublic.key and oaprivate.key even though I dont use ssl?, and if I have to, how do I do it?

I am extremely frustrated at the moment…

#2

https://community.open-emr.org/t/v6-authorization-and-api-changes-afoot/15450/8

You still need to us https protocol though. The keys mentioned in error are for token signing. Your server most likely won’t need a cert for domain but is advisable. The signing keys are automatically generated by auth server.

#3

I really appreciate your response Jerry!

I have now setup ssl and generated authorize files from openssl, and modified the config files to point to the files.

I dont get this =>

The signing keys are automatically generated by auth server.

I don’t have a “token” endpoint. Where can I find that one?

Didn’t have this endpoint either => default/password.

Do I have to download a separate oauth2 server?

#4

There is no need to config the authorization server. It act as the OIDC authentication provider and OA2 server. The keys referenced in the controller are the RS256 private and public keys for signing JWTs/tokens for client token signature verification.

The internal key pair is auto generated and encrypted by the server and has nothing to do with your domain certificates. So delete what you have done and leave that to the server.

One should not have to do anything except set the base url in globals. Brady may have updated the docs in root for this.

Think of the process as basically what happens when using the Google provider when signing in to a web site.

Plus I’d stay away from the password grant as I’m not sure in what form we will end up supporting.

The password grant is issued from the token endpoint.

#5

hi,
Just updated the api/fhir documentation for authorization here:
openemr/API_README.md at master · openemr/openemr · GitHub

#6

Thanks Jerry and Brady!

I found an OAuth client to download => GitHub - thephpleague/oauth2-client: Easy integration with OAuth 2.0 service providers.

I don’t have a folder named “registration”.

I try to call this endpoint but receives only HTML => https://localhost:9300/openemr/oauth2/Token
Do I have to install the OAuth client? I am not familiar with php.

My settings is following: (does it make sense?)
connector:
Site Address (required for oauth2 and fhir): https://localhost:9300/openemr/sites/default
FHIR Server Base Address: https://localhost:9300

security:
Enable Client SSL: YES
Path to CA Certificate File: C:\SSL\server.crt
Path to CA Key File: C:\SSL\server.key

httpd-ssl.conf:
Listen 9300

<VirtualHost default:9300>
SSLEngine on
SSLCertificateFile “conf/ssl.crt/server.crt”
SSLCertificateKeyFile “conf/ssl.key/server.key”
ServerName localhost:9300
</VirtualHost>

I feel kind of lost, please help!

#7

Hi.
Can anyone give me a hint of what I should do.

I think I have some problems understanding php endpoints. When I finally find a valid endpoint I see only HTML. I would like the oauth2 client server to run.

#8

Hi @perreq ,

There’s a bit of learning curve on this stuff (took me a while to figure things out with oauth2 stuff also). I haven’t tried the league oauth2 client. I am using the following client for testing:
GitHub - jumbojett/OpenID-Connect-PHP: Minimalist OpenID Connect client

And my client.php on this client is the following:

<?php

/**
 *
 * Copyright MITRE 2012
 *
 * OpenIDConnectClient for PHP5
 * Author: Michael Jett <mjett@mitre.org>
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations
 * under the License.
 *
 */

require __DIR__ . '/vendor/autoload.php';

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient(
    'https://localhost:9300/oauth2/default',
    'J0OnFeXvWNF4B16bNU07cia_KC3Nrr57KybFPfJMZk8',
    'hXQ_vUMAb44LcjQ-O6J0SadfW4pqOAV9kEecGe42Peb9ytlh-ThTtn46yD9vH7gAO-9ogZ32ozfyXfFlhyZW5w'
);

$oidc->setVerifyPeer(false);
$oidc->setVerifyHost(false);

$oidc->authenticate();
$id = $oidc->getIdToken();;
$access = $oidc->getAccessToken();
$refresh = $oidc->getRefreshToken();
?>

<html>
<head>
    <title>Example OpenID Connect Client Use</title>
    <style>
        body {
            font-family: 'Lucida Grande', Verdana, Arial, sans-serif;
        }
    </style>
</head>
<body>
    <div>
        ID: <?php echo $id; ?>
    </div>
    <div>
        Access: <?php echo $access; ?>
    </div>
    <div>
        Refresh: <?php echo $refresh; ?>
    </div>
</body>
</html>

Then in my case (i have the client installed on my localhost), I start by going to:
https://localhost/oauth/client.php

Hope this helps to get things working for you. Let us know how it goes.

-brady

#9

Also,

To help with registration, here is a screenshot of how I do this on Postman (1st screenshot shows header setting and 2nd screenshot shows body setting)(also note to to set Postman to work with self-signed keys (ie. turn off host/peer verification) for the ssl stuff):

image
image1920×1080 283 KB

image
image1920×1080 295 KB

#10

Thanks brady, you are really great!

I had to install everything from the beginning.
But I have created my own Help-List, some real newbie can have that in Christmas present:

download xampp => https://www.apachefriends.org/download.html

install xampp

install openemr
git clone https://github.com/openemr/openemr.git

set soap-extenstion in php.ini (should be set per default)

open bash terminal (C:\xampp\htdocs\openemr)
composer install => will create vendors

open power terminal (C:\xampp\htdocs\openemr)
npm install
npm run dev

(will probably be stuck on this => Running gulp watch task… - just exit)

Make openemr-folder NOT read only

However. I realized one thing, if you mess up a certificate file, the apache will not start and you will get error messages referring to that your mysql-database is corrupt. (which is misleading)

I want to ask about 2 things:

  1. what certificates files am I suppose to do myself?

In httpd-ssl.conf there are file pointed to:

  • conf/ssl.crt/server.crt
  • conf/ssl.key/server.key

I dont touch them, I did and had to reinstall everything.

Then we have these in Globlas/security

  • Path to CA Certificate File
  • Path to CA Key File

I dont dare to set anything there now.
This is a little fragile, If you do some misstake in openemr or database in such a way that you are not able to start apache. You are in a dead end and have to reinstall.
And I do have to set passphrase, right? Yesterday I had to update the ‘keys’ table with a passphrase row.

  1. second question.
    I see in your header you have
    client_id, client_secret, registration_access_token

All with crazy random numbers. Is that fetched from somewhere or randomly generated.

I mean the purpose of the call is to retrieve a crazy number, not to provide :slight_smile:

#11

hi @perreq ,

Are you using windows or linux?

Regarding ssl on apache, this is really a separate issue from OpenEMR, and there are several ways to go about doing this (huge number of tutorials on line for this; if you are doing testing development, then would look into creating self-signed keys).

Regarding oauth2 related keys, these are all created automatically by OpenEMR the first time you use the oauth feature. The code that does this magic in OpenEMR is here:
openemr/AuthorizationController.php at master · openemr/openemr · GitHub

If you find yourself having to muck around with the keys table or the oaprivate.key/oapublic.key files, then that means something has gone wrong (would check out your php error log).

You are correct that the client_id/client_secret/registration_access_token are basically randomly generated values. Can see where they are born here :slight_smile:
openemr/AuthorizationController.php at master · openemr/openemr · GitHub

-brady

#12

Also, to clarify in the postman screenshots above, note that the lower portion of the screen is the reply from the oauth server in OpenEMR.

#13

Hi @brady.miller
I am working on windows using xampp for apache and php.

I am working on a middle layer between an application sending data and my application that will update different EMR systems with patient data, using rest API and fhir.

Sounds great that OpenEMR is handling everything with keys by itself when you send the “registration” endpoint.

I was thinking about these keys in the GUI “Globlas/security”:

  • Path to CA Certificate File
  • Path to CA Key File

If Im not suppose to set these myself I have to use the keys from the apache installation.
(xampp\apache\conf\ssl.crt)

If I am suppose to set those, should I use passphrase or not?

I really appreciate your support Brady!