Situation
I am trying to obtain an access token from the /oauth2/default/token endpoint in OpenEMR, but I consistently get a 400 Bad Request error with "invalid_client" or "Bad request" messages.
Steps I followed:
- Enabled required settings in Administration → Globals:
enable_oidc = 1rest_api_token_endpoint_enable = 1
2.(Verified in MySQLglobalstable.)*
- Registered a client via
/oauth2/default/registration:
{
"application_type": "private",
"client_name": "Prevenotics AutoReport",
"redirect_uris": ["http://localhost/callback"],
"post_logout_redirect_uris": ["http://localhost/logout"],
"response_types": ["code"],
"token_endpoint_auth_method": "client_secret_post",
"scope": "openid offline_access api:oemr"
}
- Confirmed that the generated
client_idandclient_secretmatch the entries in the MySQLoauth_clientstable. - Authorization Code request works — I get a
codeparameter back successfully. - Tried to exchange the code for a token:
curl -X POST "https://localhost/openemr/oauth2/default/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=xxxxxxxxxxxxxxxx" \
-d "redirect_uri=http://localhost/callback" \
-d "client_id=PnJlOAitpjuYwvQhzkxu5xVguswW-OaNEtr6KoOhdQU" \
-d "client_secret=xxxxxxxxxxxxxxxx"
- Always get this response:
{
"error": "invalid_client",
"error_description": "Bad request",
"message": "Bad request"
}
OpenEMR Version
7.0.3
Browser
- Chrome Version 138
- Also tested with
curlfrom terminal
Operating System
macOS 15.0.1
Search
Yes — searched the forum and GitHub issues for “400 invalid_client token endpoint” but did not find a working solution for this case.
Logs
No detailed message in php_error.log — only the 400 response.
Checked MySQL oauth_clients table:
SELECT grant_types FROM oauth_clients WHERE client_id = 'PnJlOAitpjuYwvQhzkxu5xVguswW-OaNEtr6KoOhdQU';
-- Result:
authorization_code
Screenshot
please!!! somebody helps me, I’ve been living with a 400 error for a week.