Invalid_client error in OAuth authentication flow through Swagger when using user/ scopes

I’m having trouble authenticating using OAuth with “user/” scopes using Swagger.

Steps to reproduce:

  1. Go to Admin > Globals > Connectors and check “Enable OpenEMR Standard FHIR REST API”, “Enable OpenEMR FHIR System Scopes (Turn on only if you know what you are doing)”, and “Enable OpenEMR Standard REST API”.
  2. Go to Admin > System > API Clients and click “Register New App”
  3. Select “Confidential” and “Multiple Patients Application”. Enter App Name = “App”, Contact Email = “contact@foo. com”, App Redirect URI = https://my-site/swagger/oauth2-redirect.html", App Launch URI = blank, App Logout URI = blank
  4. Select all scopes
  5. Click “Submit”
  6. Open https://my-site/swagger in a new tab
  7. Click “Authorize”
  8. Copy the client ID and client secret from the app registration tab into client_id and client_secret inputs
  9. Select scopes openid, offline_access, api:oemr, and user/
  10. A new tab opens, enter your admin login and click “OpenEMR Login”
  11. Click “Authorize”

Expected: Swagger is logged in
Actual: Swagger shows the error: “Auth Error Error: Unauthorized, error: invalid_client, description: Client authentication failed”


[Fri Jan 13 18:57:00.719222 2023] [php:notice] [pid 38] [client] [2023-01-13T18:57:00.719171+00:00] OpenEMR.DEBUG: ClientRepository->getClientEntity() client found {"client":{"client_name":"app","redirect_uri":"https://my-site/swagger/oauth2-redirect.html","is_confidential":"1"}} [], referer: https://my-site/swagger/
[Fri Jan 13 18:57:00.722592 2023] [php:notice] [pid 38] [client] [2023-01-13T18:57:00.722539+00:00] OpenEMR.ERROR: OpenEMR\\Common\\Auth\\OpenIDConnect\\Grant\\CustomAuthCodeGrant->validateClient() client returned was not enabled {"client":"zsDKyU75TpiI8nk3XUI9kWGqARQEtYsd6PH5eisPCbo"} [], referer: https://my-site/swagger/
[Fri Jan 13 18:57:00.723278 2023] [php:notice] [pid 38] [client] [2023-01-13T18:57:00.723222+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() OAuthServerException occurred {"hint":"","message":"Client authentication failed","stack":"#0 /var/www/localhost/htdocs/openemr/src/Common/Auth/OpenIDConnect/Grant/CustomAuthCodeGrant.php(103): League\\\\OAuth2\\\\Server\\\\Exception\\\\OAuthServerException::invalidClient()\\n#1 /var/www/localhost/htdocs/openemr/vendor/league/oauth2-server/src/Grant/AuthCodeGrant.php(106): OpenEMR\\\\Common\\\\Auth\\\\OpenIDConnect\\\\Grant\\\\CustomAuthCodeGrant->validateClient()\\n#2 /var/www/localhost/htdocs/openemr/vendor/league/oauth2-server/src/AuthorizationServer.php(204): League\\\\OAuth2\\\\Server\\\\Grant\\\\AuthCodeGrant->respondToAccessTokenRequest()\\n#3 /var/www/localhost/htdocs/openemr/src/RestControllers/AuthorizationController.php(1068): League\\\\OAuth2\\\\Server\\\\AuthorizationServer->respondToAccessTokenRequest()\\n#4 /var/www/localhost/htdocs/openemr/oauth2/authorize.php(73): OpenEMR\\\\RestControllers\\\\AuthorizationController->oauthAuthorizeToken()\\n#5 {main}"} [], referer: https://my-site/swagger/

Note that these steps work without error when only the scopes “openid” “fhirUser”, “offline_access”, and “api:oemr” are used. It’s only when “user/” scopes are included that the error occurs.

OpenEMR Version
I’m using OpenEMR version 7.0.0 (running in Docker)

I’m using: Brave

Operating System
I’m using: OS X

(See above)

Check to make sure you enabled your app. If you are requesting user or system context permissions you have to enable your app from the api clients admin interface. Looking over your steps I see that step missing.

Even if you register your FHIR app as an admin the app is disabled by default if it is a confidential app or requests more sensitive permissions. It’d be a nice improvement for someone to add to have the app auto-enabled if its an admin registering the app inside of OpenEMR. The tool uses the underlying openid-connect apis which are ignorant of the fact that you’re registering an app as an administrator already.

Yes, that was the problem. The client I registered was set to “Disabled”. It worked after I set the client to Enabled on the Client Registrations page. Thanks!

1 Like