Do you use or administer OpenEMR? Take the General Satisfaction Survey to help improve the product

How to assign system/*.$export scope

How does one add this scope? I tried adding it to the scope like this: system/*.$export while registering a client but get an invalid scope error.

{
    "error": "invalid_scope",
    "error_description": "The requested scope is invalid, unknown, or malformed",
    "hint": "Check the `system/*.$export` scope",
    "message": "The requested scope is invalid, unknown, or malformed"
}

Thanks.

hi @benmarte, do you need to escape the *?

system/\*.$export

Hi @stephenwaite I did as you suggested and still get an error:

{
    "error": "invalid_scope",
    "error_description": "The requested scope is invalid, unknown, or malformed",
    "hint": "Check the `system/\\*.$export` scope",
    "message": "The requested scope is invalid, unknown, or malformed"
}

ok, looking at the recent commit sounds like a bug

@benmarte Have you enabled the Enable OpenEMR FHIR System Scopes (Recommended Off, Turn on only if you know what you are doing) flag. It’s in Globals -> Connectors.

System scopes are turned off by default in OpenEMR.

@adunsulag I do not see that setting anywhere on the connectors page

Any other ideas? Thanks.

What version of OpenEMR are you running against? Is this the master branch or the 6.0 release? That screenshot looks like the 6.0 release.

The FHIR system scopes are in the master branch (ie latest dev environment). I believe they will go out in the next patch, but not sure when @brady.miller is releasing it.

No this is the actual 6.0.0 release so that’s why it most likely does not work, thanks.

I’m not sure we’ve decided if some of the newer API stuff is coming back to a patch.
I think we should but @brady.miller may have some concerns i’m unaware.
If we’re voting then put me down for yes. I suppose it will depend if we have to do any builds etc.

No worries, I pulled down the latest version of the repo and I see the checkbox @adunsulag is referring to and when I add the system/*$.export to the scope I get this error now.

{
    "error": "invalid_client_metadata",
    "error_description": "jwks is invalid",
    "message": "jwks is invalid"
}

It looks like it needs a web token or something.

This is what my json for registration looks like:

{
    "application_type": "private",
    "redirect_uris": [
        "http://localhost:3000"
    ],
    "post_logout_redirect_uris": [
        "http://localhost:3000"
    ],
    "initiate_login_uri": "http://localhost:3000",
    "client_name": "external-web-app",
    "token_endpoint_auth_method": "client_secret_post",
    "username": "admin",
    "password": "pass",
    "scope": "openid email phone address api:oemr api:fhir api:port launch system/*.$export"
}

Thanks.

As this is a client grant you will need to provide a url for server to grab the clients(distant) jwk to verify signatures/client.
I believe this is documented in the api readme.

Ben look at this example on how to setup and use the JWKs

1 Like