Not able to register client to OpenEMR

Nilesh_Hake · December 12, 2021, 5:09pm

Hi Team,

I am not able to register client from postman as well as the register-app.php.
Can any one tell what needs to pass the JSON Web Key Set URI and JSON Web Key Set when I registering the client from register-app.php.

When I tried to register the client from postman I am getting below error
{
** “error”: “server_error”,**
** “error_description”: “The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Security error - problem with authorization server keys.”,**
** “message”: “The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Security error - problem with authorization server keys.”**
}

Any one please help me for same.

Thanks,
Nilesh

adunsulag · December 13, 2021, 9:13pm

Are you trying to use system/* scopes? If not, you don’t need to pass anything for the JSON Web Key Set.

If you do need system/* scopes for your client then the JSON web key set URI must be a publicly accessible URL that has a valid JSon Web Key Set as the HTTP response. A web key set must follow the standards specified in RFC 7517 and a more user friendly set can be found here: JSON Web Key Sets

Here is an example I use with Insomnia (similar to Postman):

Preparing request to https://10.0.0.12:9300/oauth2/default/registration

> POST /oauth2/default/registration HTTP/1.1
> Host: 10.0.0.12:9300
> User-Agent: insomnia/2021.2.2
> Content-Type: application/json
> Accept: */*
> Content-Length: 1702

| {
| 	"application_type": "private",
|    "redirect_uris":
|      ["http://10.0.0.12:4567/inferno/oauth2/static/redirect"],
|    "post_logout_redirect_uris":
|      ["http://10.0.0.12:4567/inferno/oauth2/static/logout"],
|    "client_name": "Inferno Export",
| 	"initiate_login_uri": "http://10.0.0.12:4567/inferno/oauth2/static/launch",
|    "token_endpoint_auth_method": "client_secret_post",
|    "contacts": ["me@example.org", "them@example.org"],
| 	 "scope": "system/*.$export system/Patient.$export system/*.$bulkdata-status system/Group.$export system/Medication.read system/AllergyIntolerance.read system/CarePlan.read system/CareTeam.read system/Condition.read system/Device.read system/DiagnosticReport.read system/DocumentReference.read system/Encounter.read system/Goal.read system/Immunization.read system/Location.read system/MedicationRequest.read system/Observation.read system/Organization.read system/Practitioner.read system/Procedure.read system/Provenance.read",
| 	"jwks": {"keys":[{"kty":"EC","crv":"P-384","x":"JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C","y":"bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw","key_ops":["verify"],"ext":true,"kid":"4b49a739d1eb115b3225f4cf9beb6d1b","alg":"ES384"},{"kty":"RSA","alg":"RS384","n":"vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw","e":"AQAB","key_ops":["verify"],"ext":true,"kid":"b41528b6f37a9500edb8a905a595bdd7"}]}
| }

* upload completely sent off: 1702 out of 1702 bytes
* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK
< Date: Fri, 13 Aug 2021 00:42:10 GMT
< Server: Apache
< Set-Cookie: authserverOpenEMR=UiGpT%2Ct0wbb9nnX-2belpk9RqUTRwAFq5YyXjKRIGKBZUApt; expires=Fri, 13-Aug-2021 08:28:50 GMT; Max-Age=28000; path=/oauth2/; secure; HttpOnly; SameSite=None
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: origin, authorization, accept, content-type, x-requested-with
< Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
< Access-Control-Allow-Origin: *

* Replaced cookie authserverOpenEMR="deleted" for domain 10.0.0.12, path /oauth2/, expire 1

< Set-Cookie: authserverOpenEMR=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/oauth2/; secure; HttpOnly; SameSite=None
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-XSS-Protection: 1; mode=block
< Content-Length: 2114
< Content-Type: text/html; charset=utf-8


* Received 2.1 KB chunk
* Connection #21 to host 10.0.0.12 left intact
* Saved 2 cookies

You can see the specific JWKS here:

{"keys":[{"kty":"EC","crv":"P-384","x":"JQKTsV6PT5Szf4QtDA1qrs0EJ1pbimQmM2SKvzOlIAqlph3h1OHmZ2i7MXahIF2C","y":"bRWWQRJBgDa6CTgwofYrHjVGcO-A7WNEnu4oJA5OUJPPPpczgx1g2NsfinK-D2Rw","key_ops":["verify"],"ext":true,"kid":"4b49a739d1eb115b3225f4cf9beb6d1b","alg":"ES384"},{"kty":"RSA","alg":"RS384","n":"vjbIzTqiY8K8zApeNng5ekNNIxJfXAue9BjoMrZ9Qy9m7yIA-tf6muEupEXWhq70tC7vIGLqJJ4O8m7yiH8H2qklX2mCAMg3xG3nbykY2X7JXtW9P8VIdG0sAMt5aZQnUGCgSS3n0qaooGn2LUlTGIR88Qi-4Nrao9_3Ki3UCiICeCiAE224jGCg0OlQU6qj2gEB3o-DWJFlG_dz1y-Mxo5ivaeM0vWuodjDrp-aiabJcSF_dx26sdC9dZdBKXFDq0t19I9S9AyGpGDJwzGRtWHY6LsskNHLvo8Zb5AsJ9eRZKpnh30SYBZI9WHtzU85M9WQqdScR69Vyp-6Uhfbvw","e":"AQAB","key_ops":["verify"],"ext":true,"kid":"b41528b6f37a9500edb8a905a595bdd7"}]}

Nilesh_Hake · December 15, 2021, 4:31am

Thanks for replay @adunsulag

adunsulag · March 11, 2022, 12:22pm

A post was split to a new topic: How do I generate bulk System Export Client Assertion?