Situation
I’m having trouble authenticating using OAuth with “user/” scopes using Swagger.
Steps to reproduce:
- Go to Admin > Globals > Connectors and check “Enable OpenEMR Standard FHIR REST API”, “Enable OpenEMR FHIR System Scopes (Turn on only if you know what you are doing)”, and “Enable OpenEMR Standard REST API”.
- Go to Admin > System > API Clients and click “Register New App”
- Select “Confidential” and “Multiple Patients Application”. Enter App Name = “App”, Contact Email = “contact@foo. com”, App Redirect URI = https://my-site/swagger/oauth2-redirect.html", App Launch URI = blank, App Logout URI = blank
- Select all scopes
- Click “Submit”
- Open https://my-site/swagger in a new tab
- Click “Authorize”
- Copy the client ID and client secret from the app registration tab into client_id and client_secret inputs
- Select scopes openid, offline_access, api:oemr, and user/patient.read
- A new tab opens, enter your admin login and click “OpenEMR Login”
- Click “Authorize”
Expected: Swagger is logged in
Actual: Swagger shows the error: “Auth Error Error: Unauthorized, error: invalid_client, description: Client authentication failed”
Logs:
[Fri Jan 13 18:57:00.719222 2023] [php:notice] [pid 38] [client 10.106.0.4:28817] [2023-01-13T18:57:00.719171+00:00] OpenEMR.DEBUG: ClientRepository->getClientEntity() client found {"client":{"client_name":"app","redirect_uri":"https://my-site/swagger/oauth2-redirect.html","is_confidential":"1"}} [], referer: https://my-site/swagger/
[Fri Jan 13 18:57:00.722592 2023] [php:notice] [pid 38] [client 10.106.0.4:28817] [2023-01-13T18:57:00.722539+00:00] OpenEMR.ERROR: OpenEMR\\Common\\Auth\\OpenIDConnect\\Grant\\CustomAuthCodeGrant->validateClient() client returned was not enabled {"client":"zsDKyU75TpiI8nk3XUI9kWGqARQEtYsd6PH5eisPCbo"} [], referer: https://my-site/swagger/
[Fri Jan 13 18:57:00.723278 2023] [php:notice] [pid 38] [client 10.106.0.4:28817] [2023-01-13T18:57:00.723222+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() OAuthServerException occurred {"hint":"","message":"Client authentication failed","stack":"#0 /var/www/localhost/htdocs/openemr/src/Common/Auth/OpenIDConnect/Grant/CustomAuthCodeGrant.php(103): League\\\\OAuth2\\\\Server\\\\Exception\\\\OAuthServerException::invalidClient()\\n#1 /var/www/localhost/htdocs/openemr/vendor/league/oauth2-server/src/Grant/AuthCodeGrant.php(106): OpenEMR\\\\Common\\\\Auth\\\\OpenIDConnect\\\\Grant\\\\CustomAuthCodeGrant->validateClient()\\n#2 /var/www/localhost/htdocs/openemr/vendor/league/oauth2-server/src/AuthorizationServer.php(204): League\\\\OAuth2\\\\Server\\\\Grant\\\\AuthCodeGrant->respondToAccessTokenRequest()\\n#3 /var/www/localhost/htdocs/openemr/src/RestControllers/AuthorizationController.php(1068): League\\\\OAuth2\\\\Server\\\\AuthorizationServer->respondToAccessTokenRequest()\\n#4 /var/www/localhost/htdocs/openemr/oauth2/authorize.php(73): OpenEMR\\\\RestControllers\\\\AuthorizationController->oauthAuthorizeToken()\\n#5 {main}"} [], referer: https://my-site/swagger/
Note that these steps work without error when only the scopes “openid” “fhirUser”, “offline_access”, and “api:oemr” are used. It’s only when “user/” scopes are included that the error occurs.
OpenEMR Version
I’m using OpenEMR version 7.0.0 (running in Docker)
Browser:
I’m using: Brave
Operating System
I’m using: OS X
Logs
(See above)