Getting 401 Unzuthorized on /fhir/Patient API on POST request but GET request works

Support
#1

Situation
Describe your problem here
I followed this doc:

to register a private client API on OpenEMR using the client_credentials grant_type. I was able to get the access token by hitting POST request on oauth2/default/token with body

{
“grant_type”: “client_credentials”
“client_assertion_type”: “urn:ietf:params:oauth:client-assertion-type:jwt-bearer”
“scopes”: “openid fhirUser online_access offline_access launch launch/patient api:fhir patient/AllergyIntolerance.read patient/Appointment.read patient/Binary.read patient/CarePlan.read patient/CareTeam.read patient/Condition.read patient/Coverage.read patient/Device.read patient/DiagnosticReport.read patient/DocumentReference.read patient/DocumentReference.$docref patient/Encounter.read patient/Goal.read patient/Immunization.read patient/Location.read patient/MedicationRequest.read patient/Medication.read patient/Observation.read patient/Organization.read patient/Patient.read patient/Person.read patient/Practitioner.read patient/Procedure.read patient/Provenance.read system/AllergyIntolerance.read system/Binary.read system/CarePlan.read system/CareTeam.read system/Condition.read system/Coverage.read system/Device.read system/DiagnosticReport.read system/DocumentReference.read system/DocumentReference.$docref system/Encounter.read system/Goal.read system/Group.read system/Group.$export system/Immunization.read system/Location.read system/MedicationRequest.read system/Medication.read system/Observation.read system/Organization.read system/Patient.read system/Patient.$export system/Person.read system/Practitioner.read system/PractitionerRole.read system/Procedure.read system/Provenance.read system/.$bulkdata-status system/.$export user/AllergyIntolerance.read user/Binary.read user/CarePlan.read user/CareTeam.read user/Condition.read user/Coverage.read user/Device.read user/DiagnosticReport.read user/DocumentReference.read user/DocumentReference.$docref user/Encounter.read user/Goal.read user/Immunization.read user/Location.read user/MedicationRequest.read user/Medication.read user/Observation.read user/Organization.read user/Organization.write user/Patient.read user/Patient.write user/Person.read user/Practitioner.read user/Practitioner.write user/PractitionerRole.read user/Procedure.read user/Provenance.read api:oemr user/allergy.read user/allergy.write user/appointment.read user/appointment.write user/dental_issue.read user/dental_issue.write user/document.read user/document.write user/drug.read user/encounter.read user/encounter.write user/facility.read user/facility.write user/immunization.read user/insurance.read user/insurance.write user/insurance_company.read user/insurance_company.write user/insurance_type.read user/list.read user/medical_problem.read user/medical_problem.write user/medication.read user/medication.write user/message.write user/patient.read user/patient.write user/practitioner.read user/practitioner.write user/prescription.read user/procedure.read user/soap_note.read user/soap_note.write user/surgery.read user/surgery.write user/transaction.read user/transaction.write user/vital.read user/vital.write api:port patient/encounter.read patient/patient.read patient/appointment.read”
“client_assertion”: “jwt encoded token”
}

When I use the token as bearre auth on GET endpoint /fhir/Patient I get 200 status codes and all patients list. But when I follow the above steps (generate new bearer auth from jwt) and use the new token on same endpoint but POST request, I am getting 401 unauthorized.

I change the jti value in jwt payload every time to generate unique jwt encoded token.

OpenEMR Version
I’m using OpenEMR version 7.0.0

Browser:
I’m using: POSTMAN

Operating System
I’m using: OpenEMR from AWS lightsail

Logs
Did you check the logs? Yes
Was there anything pertinent in them? No just warning:

[Thu Mar 23 17:46:06.190919 2023] [mpm_prefork:notice] [pid 156] AH00163: Apache/2.4.55 (Unix) OpenSSL/1.1.1s configured -- resuming normal operations
[Thu Mar 23 17:46:06.191075 2023] [core:notice] [pid 156] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Mar 23 18:03:02.926508 2023] [mpm_prefork:notice] [pid 156] AH00163: Apache/2.4.55 (Unix) OpenSSL/1.1.1s configured -- resuming normal operations
[Thu Mar 23 18:03:02.926805 2023] [core:notice] [pid 156] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Mar 23 18:07:12.757978 2023] [mpm_prefork:notice] [pid 156] AH00163: Apache/2.4.55 (Unix) OpenSSL/1.1.1s configured -- resuming normal operations
[Thu Mar 23 18:07:12.758135 2023] [core:notice] [pid 156] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Mar 23 18:16:00.591978 2023] [mpm_prefork:notice] [pid 156] AH00163: Apache/2.4.55 (Unix) OpenSSL/1.1.1s configured -- resuming normal operations
[Thu Mar 23 18:16:00.592155 2023] [core:notice] [pid 156] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

Please paste them here (surround with three backticks (```) for readability.

You can also turn on User Debugging under Administration->Globals->Logging User Debugging Options=>All

1 Like
#2

I don’t see any system/Patient.write scopes in your scopes request. Your registered client needs the scope and your client_credentials grant request needs the scope as well if you want to be able to do a write to the endpoint.

1 Like
#3

Hi Stephen , thanks you so much for replying in such short notice. I tried registering another api client by adding the system/Patient.write scope as you suggested, but I am getting 400 Bad Request with response:

{
    "error": "invalid_scope",
    "error_description": "The requested scope is invalid, unknown, or malformed",
    "hint": "Check the `system/Patient.write` scope",
    "message": "The requested scope is invalid, unknown, or malformed"
}

Do you know, what I may have done wrong ?

1 Like
#4

My apologies Saurav, it should be system/patient.write as only the standard api (not FHIR) has support for writing to the patient endpoint. The FHIR endpoint is the one that uses the capitalized Patient and that is currently not supported right now.

#5

Thanks Stepthen, I decided to go with Password grant, I was able to use the user/patient.write (I think) scope for FHIR post request.