Hi Team,
When I apply the API Client, I select all scope but system/*,
I can authorize with Swagger, and try FHIR API.
But all Standard API return 401 Error: Unauthorized,
Here is response:
Do you know what I am missing?
What scopes did you register with for your client application? If you only registered with FHIR scopes you will get the response you are seeing. Note the frontend admin page only allows registration of FHIR scopes, there’s an outstanding feature request to enhance the page to allow the older ‘standard’ api scopes that OpenEMR used prior to FHIR.
Scopes of the API Client
- openid
- fhirUser
- online_access
- offline_access
- launch
- launch/patient
- api:oemr
- api:fhir
- api:port
- profile
- name
- address
- given_name
- family_name
- nickname
- phone
- phone_verified
- email_verified
- site:default
- patient/AllergyIntolerance.read
- patient/Appointment.read
- patient/Binary.read
- patient/CarePlan.read
- patient/CareTeam.read
- patient/Condition.read
- patient/Coverage.read
- patient/Device.read
- patient/DiagnosticReport.read
- patient/DocumentReference.$docref
- patient/DocumentReference.read
- patient/Encounter.read
- patient/Goal.read
- patient/Immunization.read
- patient/Location.read
- patient/Medication.read
- patient/MedicationRequest.read
- patient/Observation.read
- patient/Organization.read
- patient/Patient.read
- patient/Person.read
- patient/Practitioner.read
- patient/Procedure.read
- patient/Provenance.read
- user/AllergyIntolerance.read
- user/Appointment.read
- user/Binary.read
- user/CarePlan.read
- user/CareTeam.read
- user/Condition.read
- user/Coverage.read
- user/Device.read
- user/DiagnosticReport.read
- user/DocumentReference.$docref
- user/DocumentReference.read
- user/Encounter.read
- user/Goal.read
- user/Immunization.read
- user/Location.read
- user/Medication.read
- user/MedicationRequest.read
- user/Observation.read
- user/Organization.read
- user/Organization.write
- user/Patient.read
- user/Patient.write
- user/Person.read
- user/Practitioner.read
- user/Practitioner.write
- user/PractitionerRole.read
- user/Procedure.read
- user/Provenance.read
Thank you for reply.
If the frontend admin page only allows registration of FHIR scopes,
how to get registration for using standard API ??
I am also facing the same issue in Swagger. I can create Access Token and run the FHIR APIs, but get 401 Unauthorised error when trying to run Standard or Patient Portal APIs. I have selected all the scopes while generating the access token but the result is the same. How can I use the standard and patient portal APIs?
The GUI program for client registration is just calling the OAuth2 registration endpoint using javascript. You can register directly using curl, postman, whatever tool you want. Here is the documentation:
Look at the scopes to see standard / patient portal api access:
Hi Stephen, As per the documentation, I selected the below scopes:
- 1st attempt : openid api:oemr api:port api:fhi email patient/() user/()
- 2nd attempt: openid api:oemr api:port
The Access Token got generated successfully in the Swagger, but when I tried accessing the API - /api/patient - in Swagger, I got the response 401 Unauthorised.
When I select all scopes, even then I get 401 Unauthorised when trying to run any “standard” or “standard-patient” APIs.
When creating the App Client in OpenEMR admin, I input as below for required fields: - App redirect_uri: /swagger/oauth2-redirect.html
- App Launch URI: /swagger/index.html
- JSON Web Key Set URI: /swagger/index.html
- JSON Web Key Set : <blank/ empty>
The client APP ID and client Secret APP Id get created and I can get access token in swagger with above settings. But that access token only works for the FHIR APIs , not the standard / standard-patient APIs. Please could you provide the steps for running the any 1 standard / standard-patient(patient portal) APIs in swagger. If I am putting any incorrect input when creating client, please let me know.
Scopes for /api/patient would be (this is off the top of my head):
Patient user:
openid api:oemr api:port api:fhi email patient/patient.read
Clinician/Admin user:
openid api:oemr api:fhi email user/patient.read
Are you doing this against a system you can access the php logs? If so set Admin → Config → Logging → System Error Logging Options to be Debug Error Logging
Hi Stephen,
I have enabled debug logging and in the error log file, I am seeing the below entry:
[Wed Feb 12 16:11:05.366085 2025] [php:notice] [pid 283505] [client 192.168.96.1:53680] [2025-02-12T10:41:05.366074+00:00] OpenEMR.DEBUG: RestConfig::scope_check scope not in access token {“scope”:“user/patient.read”,“scopes_granted”:[“openid”,“api:fhir”,“api:oemr”,“user/Patient.read”,“site:default”]} , referer: https://openemr.local/swagger/
I think it says it already has the scope user/patient.read which it requires, but still it is causing the error 401 unauthorised. Please can you suggest what could be the issue here. If you want I can provide you all the log entries which were generated by this API call (for GET /api/patient) from swagger.
No its saying your access token only has the user/Patient.read scope, NOT the user/patient.read scope (note the capitalization difference).
Either two things happened, 1) you didn’t provide the scope in your initial registration request, or 2) you didn’t send the scope as part of your initial swagger request (you have to check the scope in the checkbox when you do the swagger authorization grant flow).
You can see what scopes your app has when you first registered the app. In Admin → System → API Clients you can go and look at your registration and see what scopes you have registered.
If the user/patient.read scope is listed there, then make sure you are selecting the user/patient.read scope when you first authorize swagger.
Hi Stephen,
As you mentioned the case difference in patient/patient.read scopes, so I checked again by registering a new app. The issue I see on my end is that on App Registration screen I see only patient/Patient.read , and there is no patient/patient.read checkbox to be checked. When I checked the screen of the Swagger for Authorizations, there I find both the patient scopes (in both cases). So I check all scopes in both the screens and then get access token and tried running GET /api/patient API on swagger. The result is still the same, it gives the same error in the log file as below:
[Thu Feb 13 12:17:48.571796 2025] [php:notice] [pid 216969] [client 192.168.96.1:54849] [2025-02-13T06:47:48.571769+00:00] OpenEMR.DEBUG: RestConfig::scope_check scope not in access token {“scope”:“user/patient.read”,“scopes_granted”:[“openid”,“offline_access”,“launch/patient”,“api:fhir”,“patient/AllergyIntolerance.read”,“patient/Appointment.read”,“patient/Binary.read”,“patient/CarePlan.read”,“patient/CareTeam.read”,“patient/Condition.read”,“patient/Coverage.read”,“patient/Device.read”,“patient/DiagnosticReport.read”,“patient/DocumentReference.read”,“patient/DocumentReference.$docref”,“patient/Encounter.read”,“patient/Goal.read”,“patient/Immunization.read”,“patient/Location.read”,“patient/Medication.read”,“patient/MedicationRequest.read”,“patient/Observation.read”,“patient/Organization.read”,“patient/Patient.read”,“patient/Person.read”,“patient/Practitioner.read”,“patient/Procedure.read”,“patient/Provenance.read”,“system/AllergyIntolerance.read”,“system/Binary.read”,“system/CarePlan.read”,“system/CareTeam.read”,“system/Condition.read”,“system/Coverage.read”,“system/Device.read”,“system/DiagnosticReport.read”,“system/DocumentReference.read”,“system/DocumentReference.$docref”,“system/Encounter.read”,“system/Goal.read”,“system/Group.read”,“system/Immunization.read”,“system/Location.read”,“system/Medication.read”,“system/MedicationRequest.read”,“system/Observation.read”,“system/Organization.read”,“system/Patient.read”,“system/Person.read”,“system/Practitioner.read”,“system/PractitionerRole.read”,“system/Procedure.read”,“system/Provenance.read”,“user/AllergyIntolerance.read”,“user/Binary.read”,“user/CarePlan.read”,“user/CareTeam.read”,“user/Condition.read”,“user/Coverage.read”,“user/Device.read”,“user/DiagnosticReport.read”,“user/DocumentReference.read”,“user/DocumentReference.$docref”,“user/Encounter.read”,“user/Goal.read”,“user/Immunization.read”,“user/Location.read”,“user/Medication.read”,“user/MedicationRequest.read”,“user/Observation.read”,“user/Organization.read”,“user/Organization.write”,“user/Patient.read”,“user/Patient.write”,“user/Person.read”,“user/Practitioner.read”,“user/Practitioner.write”,“user/PractitionerRole.read”,“user/Procedure.read”,“user/Provenance.read”,“api:oemr”,“api:port”,“site:default”]} , referer: https://openemr.local/swagger/
It looks that the problem is the missing scope - patient/patient.read (in lower case) - in the App Registration screen. How can I add it there? then maybe it will allow the access. Same is the case with the POST /api/patient where the lower case patient.write is not showing.
Earlier in this thread I cover this very issue. You will see that you cannot use the GUI to register for the standard scopes. That GUI was initially provided to handle FHIR only applications, it has not been modified to support the non-FHIR api which was built before FHIR.
You will have to use Postman/Insomnia/Curl or some other tool to make the HTTP request to do the registration. How to do a curl request for that is in the openemr/openemr/blob/master/API_README.md#registration I posted earlier in the thread.
Thanks Stephen, I have used curl to register with the required scopes and now I am able to run the access token for the standard and standard-patient APIs also.