How to integrate OpenEMR with Keycloak for user authentication?

I have attempted to integrate OpenEMR with Keycloak for user authentication. Could anyone guide me through this process? Are there any plugins or custom settings or module available for integration?

Hello @Larancy_T welcome to the forum and the OpenEMR community!
As it happens your very question has been asked, and answered, a few times before in this forum.
One forum tool that many people get great results with is the search tool to find other similar posts.
Good luck!

  • Harley

Hello @htuck. I have the same issue as @Larancy_T and I looked in the other topics but I can’t find any solution. It all comes down to using the league oauth2 server that is included with the project as far as I can see.

We use Keycloak to authenticate users and generate the JWT access tokens. We want to use that access token to verify access to the REST endpoints in OpenEMR. The problem as far as I can see is that the JWT tokens are verified by the league oauth2 server in OpemEMR. And that server has no knowledge of Keycloak. It verifies the access token with it’s own publick key file which if of course different from the Keycloak one.

The only thing I can think to fix that would be override the CryptKey class to retrieve the public key from the Keycloak JWK url instead of a key file and the BearerTokenValidator class to verify if the token is revoked in Keycloak.

But maybe there is another solution that I’m missing or that I didn’t understand the explanation i n the other topics.

Maybe you have some other pointers :wink:

Kind regards.

Hi @jph - welcome to the community!
I confess my post was more about showing people the benefits of searching the forum for answers than presenting myself as knowledgeable on Keycloak. In fact, I don’t know anything about Keycloak but I constantly see people posting questions that have been asked and answered before.

In fact so many of the questions that are asked are so common that I’m always surprised people get past the preliminary topic creation form where the dialog presents other forum posts similar to the new one:
Screenshot at 2023-10-24 10-43-35

So anyway, I guess my big message here is, think of other ways to ask your question then use the search tool to see if it’s been answered already.

Best of luck- Harley

Are you planning on using this in a setting where you need US ONC certification? I ask because these pieces of code if modified require recertification. If it doesn’t apply to you, no problem.

Are you generating refresh tokens in addition to access tokens? How are you handling scope authorizations with what is available in OpenEMR?

If you are going to modify core files. The OpenEMR\Common\Auth\OpenIDConnect\Repositories\AccessTokenRepository file is where I’d modify as the isAccessTokenRevokedInDatabase method is what gets called in our api handlers for token validation.

@htuck, no problem. I always try to make sure to find the answer before.

@adunsulag, no we don’t need US ONC certification. We plan to use OpenEMR in our infrastructure as a service where we mainly use the API’s. For this we want to use JWT tokens that are given out by Keycloak. Basically in OpenEMR we just want a bearer only validator where we validate the JWT token against the public key and if the access is revoked in Keycloak.

So I think my original hunch of overridingt the CryptKey and BearerTokenValidator seems like the way to go here but to be sure I’m asking if there are any caveats or other approaches I’m not seeing.