Getting Error While Calling the Authorization Code Grant

Rajaram_Selvan · March 19, 2021, 8:56am

Hi Brady(@brady.miller)
I am new to OpenEMR (Using Version6),
Currently i’m using the OpenEMR for my clients based on this Github link Documentation

github.com

openemr/openemr/blob/master/API_README.md

# OpenEMR REST API Documentation

## REST API Table of Contents
- [Overview](API_README.md#overview)
- [Prerequisite](API_README.md#prerequisite)
- [Using API Internally](API_README.md#using-api-internally)
- [Multisite Support](API_README.md#multisite-support)
- [Authorization](API_README.md#authorization)
    - [Scopes](API_README.md#scopes)
    - [Registration](API_README.md#registration)
        - [SMART on FHIR Registration](API_README.md#smart-on-fhir-registration)
    - [Authorization Code Grant](API_README.md#authorization-code-grant)
    - [Refresh Token Grant](API_README.md#refresh-token-grant)
    - [Password Grant](API_README.md#password-grant)
    - [Client Credentials Grant](API_README.md#client-credentials-grant)
    - [Logout](API_README.md#logout)
    - [OpenID Connect](API_README.md#openid-connect)
    - [More Details](API_README.md#more-details)
- [Standard API Documentation](API_README.md#standard-api-documentation)
- [Patient Portal API Documentation](API_README.md#patient-portal-api-documentation)

This file has been truncated. show original

and

I successfully completed the Registration API,
Here’s registration Request(note: post_logout_redirect_uris is optional):

curl -X POST -k -H ‘Content-Type: application/json’ -i https://openemr.probitycare.com/oauth2/default/registration --data ‘{
“application_type”: “private”,
“redirect_uris”:
[“https://demo.probitycare.com/signin/callback”],
“post_logout_redirect_uris”:
[“https://demo.probitycare.com/sign-out”],
“client_name”: “A Private App”,
“token_endpoint_auth_method”: “client_secret_post”,
“contacts”: [“rajaram@dreamguys.co.in”]
}’

Response

{“client_id”:“hMEe1W-a8K-fURlAaF5YXz78kPLz6QRNzKXqy_DQ1xg”,“client_secret”:“TUb1wZxIBN7_4LUuT217iSavMlSKYixEvpD8uHhasXo1pv-d1e4nTkaJK_98CxImrgyBa8sI0pdUpGCXPm9byg”,“registration_access_token”:“4-laGOxdHcqY1yR9Wd7mO_JQbwHze88zqcB13eEnSz0”,“registration_client_uri”:“https://openemr.probitycare.com//oauth2/default/client/WZ443DpxEnHSUBmwn_SERQ”,“client_id_issued_at”:1616075976,“client_secret_expires_at”:0,“client_role”:“user”,“contacts”:[“rajaram@dreamguys.co.in”],“application_type”:“private”,“client_name”:“A
Private App”,“redirect_uris”:[“https://demo.probitycare.com/signin/callback”],“post_logout_redirect_uris”:[“https://demo.probitycare.com/sign-out”],“token_endpoint_auth_method”:“client_secret_post”,“scope”:“openid offline_access api:oemr api:fhir
api:port user/allergy.read user/allergy.write user/appointment.read user/appointment.write user/dental_issue.read user/dental_issue.write user/document.read user/document.write user/drug.read user/encounter.read user/encounter.write user/facility.read
user/facility.write user/immunization.read user/insurance.read user/insurance.write user/insurance_company.read user/insurance_company.write user/insurance_type.read user/list.read user/medical_problem.read user/medical_problem.write user/medication.read
user/medication.write user/message.write user/patient.read user/patient.write user/practitioner.read user/practitioner.write user/prescription.read user/procedure.read user/soap_note.read user/soap_note.write user/surgery.read user/surgery.write
user/vital.read user/vital.write user/AllergyIntolerance.read user/CareTeam.read user/Condition.read user/Coverage.read user/Encounter.read user/Immunization.read user/Location.read user/Medication.read user/MedicationRequest.read user/Observation.read
user/Organization.read user/Organization.write user/Patient.read user/Patient.write user/Practitioner.read user/Practitioner.write user/PractitionerRole.read user/Procedure.read patient/encounter.read patient/patient.read patient/AllergyIntolerance.read
patient/CareTeam.read patient/Condition.read patient/Encounter.read patient/Immunization.read patient/MedicationRequest.read patient/Observation.read patient/Patient.read patient/Procedure.read”}

Next will be an authorization code or code grant type request:

curl -X GET -k -i ‘https://openemr.probitycare.com/oauth2/default/authorize?
response_type=code
&client_id=hMEe1W-a8K-fURlAaF5YXz78kPLz6QRNzKXqy_DQ1xg
&state=f20c0bd0c67ce665ebc1bcf9b8546e06
&scope=openid email phone address api:pofh api:fhir
&redirect_uri=https://demo.probitycare.com/signin/callback’

Response

I got the following Response,

Invalid URL:

https://openemr.probitycare.com/oauth2/default/authorize?
response_type=code
&client_id=hMEe1W-a8K-fURlAaF5YXz78kPLz6QRNzKXqy_DQ1xg
&state=f20c0bd0c67ce665ebc1bcf9b8546e06
&scope=openid email phone address api:pofh api:fhir
&redirect_uri=https://demo.probitycare.com/signin/callback

Please provide me the solution

Thanks & Regards,
Raja.s

RajM · March 19, 2021, 9:29am

Hi Rajaram(@Rajaram_Selvan ),

The tried the authorize url in the browser and it opens the login screen.

url: https://openemr.probitycare.com/oauth2/default/authorize?response_type=code&client_id=hMEe1W-a8K-fURlAaF5YXz78kPLz6QRNzKXqy_DQ1xg&state=f20c0bd0c67ce665ebc1bcf9b8546e06&scope=openid email phone address api:pofh api:fhir&redirect_uri=https://demo.probitycare.com/signin/callback

Note: Please also make sure you enable the API client under the Administration >> System >> Api Clients .

Thanks

Rajesh

Rajaram_Selvan · March 19, 2021, 9:43am

Hi Rajesh(@RajM )
I already enabled the API Clients.

Like you said,
I opened the link
https://openemr.probitycare.com/oauth2/default/provider/login

Enter the details like below

After that press OpenEMR Login button means,

I got the form like this, It doenst show any scopes,etc.

While click that Authorize button means its showing the Errors like below,

Please provide me the solution.

Thanks & Regards,
Raja.s

Rajaram_Selvan · March 19, 2021, 9:53am

Hi Rajesh(@RajM),

Got a code as Response in my Callback URL,

Thanks for the guidance

What is the next step i have to do

RajM · March 19, 2021, 10:04am

Hi Rajaram,

Please refer to the following post for the steps to be able to get a authorization token to access the Open EMR Api and FHIR Api. Please also note the reply by Braddy(@brady.miller) about scope for each resource that is required to be accessed.

Thanks,

Rajesh Maurya

Rajaram_Selvan · March 19, 2021, 10:56am

Hi Rajesh(@RajM),

While i calling the Access Token i’m getting the Bad Request Error like below,

Please provide me the solution.

Thanks,
Raja.s

Rajaram_Selvan · March 19, 2021, 1:04pm

Shall i have the sample curl call for the Access Token Generation. Because if i call the
https://openemr.probitycare.com/oauth2/default/token api with the following parapmeters,

grant_type : authorization_code,
client_id : hMEe1W-a8K-fURlAaF5YXz78kPLz6QRNzKXqy_DQ1xg
client_secret: 006FjHcnAMmthL7ceroXc40NDJ+3TqVhQOz1n0ALnxRdizkFhYST7c4U7C4PsCMqpx+LNqN+rBNXhb63xcFrKxQ+2F5AXgiCi+z0oXgl8REA3s2xNIYOdvrE4BBJwY5ok8C+0QkbQcUgFKCZdkZUi475o2AB3fWZrHyxtrvvrx8vB1cwYLktd2DxkiPns97pvXC+1ReD0PERkHbtWo2KAEZCw==
code : def502006f09ef2792d82ca091b4337796a8bf9561b1fa1115630a7e8e2d6aaff2a99bbb1b380fd7771c880b2aac07fa775d875342b547427587ce44461fd13d78d7099854f5594b838cc8601146922a869132ea2613022f338d889409cacd05e074dcadc9e2d96c9fdd8ec8535d03187906a05587cf95f571b354049367c36cd76b5c2381b0c3241f514b7262d06fe435b584700aba1e636d73fe4eb08f55e6e1bb0be14702d1e8027a00a7b3b2beada35cc3cafde98ed89b1c1da92f4cc17800c0238549400837f334f66bcbe245e3b2ccf6e03d48bcc58e2ced476d842e3d3bc613476cbbd9cf8ed2e4035ffc6e1c801f49157690bede8bf69fadd3fc811a52ab2ae725f5afe9a569b1eb9c02b8df6280a1a87ba83d0b77cbecbce64d360ba391f0f72f7fb19c9f07e1b0fcf450ea31053b390f1014ec879514c92cf9b5979fe422463b51908bc0bb2de103724ad020d5b89f8905ec208149442cf1567b6c1e9e5f1999541b30e991b7aca052a8ce17742e7127ccea85c16c2a6f9c7db6719c74f3dda3bfc7a0de86105c178bb2af7d0d3621bb0a7b5e43ad8d2273c62d795f7791a679d811fa9cd5c2bece021558269ecaf3120d8a4cec32a224c8bf7ba5981f1e011189c935d9cdbe3ea1b957e5943a725eb7090b6f0425b7f1b67069d082b84620386960ed903d180e3e2b6cf80409ac2feac826e4f07f2f06a02624ba4ce695901870add421afca94dc0f6a5b08d9ef74cdd173b7fd4d86fe8ed1646ae8620bda6becfc0c857d43848e5509c3826e03915a5579fcd316323e43488c09b90b3476e4d68639d110a459afa49fd151af9e25282ebe6b59264b305ca0b3497a007dfa301f3ae59bb2dade133802d7e153efe9b4f35a8ab8e61681f51148700d341ba266a04597f80ba1a2179bbb04aacd64471f09d64e66b5cac450e270da8deb862fcc61c574ca28d1c56470f7828d1417030296acfe3a5a103ee405356830f9ab40039fbcbcb1c6d045371d6593984587d01aebc116cdaebf2803e8ca25aa4d8d74fce94ae6fd5362bfad46d2457b0889a014b753222ba2e96f89209dea6db3c1e0eab1c6b3d6f120b57fd2c7130f4ab75f4ce490d581e485d2c82a1ca7b9fa2fdea7cf4fc479895d3b31f7f8269401f32f2ae84b6758a2533bd2491d01cd25b181b476033ac5f0f2bdc7555e65088e991495db388cbc8f0693931df630c408204d12faac3a1a10ceb82dd159f033a1425f82f6c069f0ed2cc58d145f6b3efdd463d2923a7a8b2bc21ccb1a0d931c03ae383c9c8dae10dd3de999217c4fbd2953bfcc9ee3386d7c0fdd134aa6e515520b501a5a37ff6212a952d3043f3d3b361fdc5f67ab4f8d66c6e7dee37350198d7cec3062495116fe4ac4dc078ea7605ac152cdeedf374742fe573dffb94fa7ab8bf5cec04ccb80cb0383d819105d6d4ced433f0064b257b12f2a8c3374d747c28cf2297430688e2eef8ab47bae87810738dfa843178c95d20db6ebd0a9aec94fb8333b34f69868435a1852d98b34dcef25f8e35808fb5fe40e5512a252a64ae666acd769cd606f9c48b186cd462ebb71fc1dd42a5efccf31feb786f3ffc8edbf5bf34c58e217&state=f20c0bd0c67ce665ebc1bcf9b8546e06
state : ab2e5882f5feb560e98269a3b6a9dc32 means i’m getting the following error

{

"error": "invalid_request",

"error_description": "Bad request",

“message”: “Bad request”

}

RajM · March 22, 2021, 8:04am

Hi Rajaram,

The request parameters etc look correct, not sure why you are getting a bad request.

The only time I could replicate the above error message was when there were no Api clients registered in the OpenEMR system which doesn’t seems to be your case.

I would suggest you check the php logs of you instance when you make the token request api call.

Thanks,
Rajesh

remorr25 · June 18, 2021, 11:32am

@Rajaram_Selvan Please tell me, from where you get this login details ?

Rajaram_Selvan · June 18, 2021, 11:55am

@remorr25 openemr/API_README.md at master · openemr/openemr · GitHub check this link

At first you have to create the client id and client secret id

curl -X POST -k -H ‘Content-Type: application/json’ -i https://localhost:9300/oauth2/default/registration --data ‘{
“application_type”: “private”,
“redirect_uris”:
[“https://client.example.org/callback”],
“post_logout_redirect_uris”:
[“https://client.example.org/logout/callback”],
“client_name”: “A Private App”,
“token_endpoint_auth_method”: “client_secret_post”,
“contacts”: [“me@example.org”, “them@example.org”],
“scope”: “openid offline_access api:oemr api:fhir api:port user/allergy.read user/allergy.write user/appointment.read user/appointment.write user/dental_issue.read user/dental_issue.write user/document.read user/document.write user/drug.read user/encounter.read user/encounter.write user/facility.read user/facility.write user/immunization.read user/insurance.read user/insurance.write user/insurance_company.read user/insurance_company.write user/insurance_type.read user/list.read user/medical_problem.read user/medical_problem.write user/medication.read user/medication.write user/message.write user/patient.read user/patient.write user/practitioner.read user/practitioner.write user/prescription.read user/procedure.read user/soap_note.read user/soap_note.write user/surgery.read user/surgery.write user/vital.read user/vital.write user/AllergyIntolerance.read user/CareTeam.read user/Condition.read user/Coverage.read user/Encounter.read user/Immunization.read user/Location.read user/Medication.read user/MedicationRequest.read user/Observation.read user/Organization.read user/Organization.write user/Patient.read user/Patient.write user/Practitioner.read user/Practitioner.write user/PractitionerRole.read user/Procedure.read patient/encounter.read patient/patient.read patient/AllergyIntolerance.read patient/CareTeam.read patient/Condition.read patient/Encounter.read patient/Immunization.read patient/MedicationRequest.read patient/Observation.read patient/Patient.read patient/Procedure.read”
}’

remorr25 · June 19, 2021, 6:16am

@Rajaram_Selvan I have generated client id and client secret id. I need authorization login details, so please tell me from where I can get that?

Thanks

remorr25 · June 19, 2021, 9:09am

Me also facing same issue.

mohit · June 23, 2021, 2:38pm

Hi,
I am facing the issue while registering the client through oauth.
I am using latest git code GitHub - openemr/openemr: OpenEMR is the most popular open source electronic health records and medical practice management solution. OpenEMR's goal is a superior alternative to its proprietary counterparts.

I am using CURl below
curl --location --request POST ‘https://localhost/openemrv2/oauth2/default/registration’ \

–header ‘Content-Type: application/json’ \

–data-raw '{

"application_type": "private",

"redirect_uris": [

    "https://openemr.localhost/openemr"

],

"post_logout_redirect_uris": [

    "https://openemr.localhost/openemr/logout"

],

"client_name": "adminlocalusemohit",

"token_endpoint_auth_method": "client_secret_post",

"username": "adminlocalusemohit",

"scope": "openid api:oemr api:fhir api:port api:pofh user/allergy.read user/allergy.write user/appointment.read user/appointment.write user/dental_issue.read user/dental_issue.write user/document.read user/document.write user/drug.read user/encounter.read user/encounter.write user/facility.read user/facility.write user/immunization.read user/insurance.read user/insurance.write user/insurance_company.read user/insurance_company.write user/insurance_type.read user/list.read user/medical_problem.read user/medical_problem.write user/medication.read user/medication.write user/message.write user/patient.read user/patient.write user/practitioner.read user/practitioner.write user/prescription.read user/procedure.read user/soap_note.read user/soap_note.write user/surgery.read user/surgery.write user/vital.read user/vital.write user/AllergyIntolerance.read user/CareTeam.read user/Condition.read user/Encounter.read user/Immunization.read user/Location.read user/Medication.read user/MedicationRequest.read user/Observation.read user/Organization.read user/Organization.write user/Patient.read user/Patient.write user/Practitioner.read user/Practitioner.write user/PractitionerRole.read user/Procedure.read patient/encounter.read patient/patient.read patient/Encounter.read patient/Patient.read"

}’

I am getting the reponse:-
{

"error": "server_error",

"error_description": "The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Security error - problem with authorization server keys.",

"message": "The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Security error - problem with authorization server keys."

}

can someone help me to register my client
Thanks

adunsulag · June 23, 2021, 5:06pm

What files are in your <openemr_installation_dir>/sites/default/documents/certificates/ folder. Is this an OpenEMR that you upgraded? Are you using the master branch or one of the release branches?

The two areas to check would be to make sure you have in that certificates folder two files: oaprivate.key and an oapublic.key. If the system can’t write the keys out to that folder you’ll need to change your folder permissions to allow the web service to have write access to that directory.

You also can get more detailed logs by changing your Administration -> Globals -> Logging -> System Error Logging Options to the debug setting.

mohit · June 24, 2021, 5:43am

Hi @adunsulag
Thanks for giving me answer

In my sites/default/documents/certificates/ folder is empty.
Yes this is OpenEMR that i upgraded.
Yes i ma using master branch.
When i enable system error logging option then no detail errors is shown.

Queries:-

oaprivate.key and oapublic.key this 2 file from where i generate because when i install OpenEMR this file is not generated.

can you help me please,
Thanks

adunsulag · June 24, 2021, 11:40am

Did you try changing the certificate folder permissions? Make sure your webserver user has write access to the folder. You should have the folder set to 755 to be able to write there.

I’m not sure why I’ve had to do this sometimes, but there are times when the key files fail to write out that I’ve had to clear the oauth2 private keys in the database. They are found in the keys table and you may need to delete the oauth2key and oauth2passphrase entries.

One thing I would mention is that I hope you are working off of master because you are doing development. If you are upgrading a production machine, its not a great idea to work off of master as there are lots of unstable features that could mess you up. I only mention this since you said you ‘upgraded’ this instance.

mohit · June 24, 2021, 12:59pm

Hi @adunsulag
Thanks for help me out
I am new in OpenEMR so can you please help me out in below points:-

There is no permission issue in folder because i am using windows environment.
When i check my key table then there are only oauth2key entry, there are no entry related oauth2passphrase. Can you help me how to generate oaprivate.key and oapublic.key.
One more thing which branch should i use to make development rather then master.
One more thing i am setup project over xampp and not using docker.

adunsulag · June 24, 2021, 1:18pm

@mohit

At this point your request should be a different forum post as its different than the original thread forum post. However, for others who come along, I’ll put some of the code you can look at since you’re a developer.

I don’t know the specifics of your issue, it still seems like a folder permission issue which can still happen on windows… but I’m assuming you’ve checked that and made sure you’re folder is set correctly.
I’m not sure why you have only the one key entry, but I would recommend deleting the oauth2key entry and the system will start over from scratch. The keys are generated when you make any oauth2 API request.
If you are trying to customize OpenEMR for yourself or another organization you should use one of the production release branches. The latest release branch is rel-600. If you want to contribute your code back to OpenEMR then master is just fine.
I’m not familiar with xampp so maybe someone else can help you with this issue. However, since you’re a developer you can also look at the code yourself and see if you can identify what’s going on in your environment. The relevant sections are:

The oauth2 flow starts in the authorize.php file.

That file calls the AuthorizationController’s __construct method which is where the key generation starts.

The actual keys are generated in the configKeyPairs() method.

Hope that helps. If you find out what’s going on please share back with the community. If there’s a bug happening on windows we would like to get it fixed.

mohit · June 24, 2021, 1:44pm

Hi @adunsulag
Thanks for Helpe me
I am try with the same and let you know if i am facing any issue.

mohit · June 25, 2021, 10:05am

Hi @adunsulag,
I am successfully able to register client with API.
For this i need to change some code in src/RestControllers/AuthorizationController.php
At configKeyPairs function in private key with below code
$keysConfig = [
“config” => “D:/Xampp-7.3.20/php/extras/openssl/openssl.cnf”,
‘private_key_bits’=> 2048,
‘default_md’ => “sha256”,
];
$keys = \openssl_pkey_new($keysConfig);

Now for this i am able to register oprivate.key abd **opublic.key ** in key table and not need to create file in sites/document/certificate folder.

But Can you help me one more thing
When i try to get token by API http://openemr.localhost/oauth2/default/token
then it will give me error below: -
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.