How to assign system/*.$export scope

benmarte · February 18, 2021, 2:24pm

How does one add this scope? I tried adding it to the scope like this: system/*.$export while registering a client but get an invalid scope error.

{
    "error": "invalid_scope",
    "error_description": "The requested scope is invalid, unknown, or malformed",
    "hint": "Check the `system/*.$export` scope",
    "message": "The requested scope is invalid, unknown, or malformed"
}

Thanks.

stephenwaite · February 18, 2021, 2:26pm

hi @benmarte, do you need to escape the *?

system/\*.$export

benmarte · February 18, 2021, 4:48pm

Hi @stephenwaite I did as you suggested and still get an error:

{
    "error": "invalid_scope",
    "error_description": "The requested scope is invalid, unknown, or malformed",
    "hint": "Check the `system/\\*.$export` scope",
    "message": "The requested scope is invalid, unknown, or malformed"
}

stephenwaite · February 18, 2021, 4:59pm

ok, looking at the recent commit sounds like a bug

adunsulag · February 18, 2021, 5:33pm

@benmarte Have you enabled the Enable OpenEMR FHIR System Scopes (Recommended Off, Turn on only if you know what you are doing) flag. It’s in Globals -> Connectors.

System scopes are turned off by default in OpenEMR.

benmarte · February 18, 2021, 5:57pm

@adunsulag I do not see that setting anywhere on the connectors page

Any other ideas? Thanks.

adunsulag · February 18, 2021, 6:10pm

What version of OpenEMR are you running against? Is this the master branch or the 6.0 release? That screenshot looks like the 6.0 release.

The FHIR system scopes are in the master branch (ie latest dev environment). I believe they will go out in the next patch, but not sure when @brady.miller is releasing it.

benmarte · February 18, 2021, 6:11pm

No this is the actual 6.0.0 release so that’s why it most likely does not work, thanks.

sjpadgett · February 18, 2021, 6:42pm

I’m not sure we’ve decided if some of the newer API stuff is coming back to a patch.
I think we should but @brady.miller may have some concerns i’m unaware.
If we’re voting then put me down for yes. I suppose it will depend if we have to do any builds etc.

benmarte · February 18, 2021, 6:46pm

No worries, I pulled down the latest version of the repo and I see the checkbox @adunsulag is referring to and when I add the system/*$.export to the scope I get this error now.

{
    "error": "invalid_client_metadata",
    "error_description": "jwks is invalid",
    "message": "jwks is invalid"
}

It looks like it needs a web token or something.

This is what my json for registration looks like:

{
    "application_type": "private",
    "redirect_uris": [
        "http://localhost:3000"
    ],
    "post_logout_redirect_uris": [
        "http://localhost:3000"
    ],
    "initiate_login_uri": "http://localhost:3000",
    "client_name": "external-web-app",
    "token_endpoint_auth_method": "client_secret_post",
    "username": "admin",
    "password": "pass",
    "scope": "openid email phone address api:oemr api:fhir api:port launch system/*.$export"
}

Thanks.

sjpadgett · February 18, 2021, 6:52pm

As this is a client grant you will need to provide a url for server to grab the clients(distant) jwk to verify signatures/client.
I believe this is documented in the api readme.

adunsulag · February 18, 2021, 7:17pm

Ben look at this example on how to setup and use the JWKs