OAuth2 invalid_client error on /authorize endpoint (v7.0.2 Docker)

Support
1

Situation
Describe your problem here

OpenEMR Version
I’m using OpenEMR version

Browser:
I’m using:

Hello OpenEMR Community,

I am trying to set up API access for a custom application using OAuth 2.0 with OpenEMR version 7.0.2 (running the official Docker image). I am encountering persistent issues with obtaining an access token.

Environment:

  • OpenEMR Version: 7.0.2
  • Setup: Official Docker deployment

Goal:
Obtain an access token (and ideally a refresh token) for server-to-server API interaction using a registered confidential client.

Problems Encountered:

  1. Client Credentials Grant Failed: Attempts to use the client_credentials grant consistently fail with 400 Bad Request and the error {"error":"invalid_request", "hint":"assertion type is not supported", ...}. This happens regardless of whether credentials are sent via client_secret_post or client_secret_basic, and with or without the scope parameter.

  2. Password Grant Failed: Enabling the “Enable Oauth2 Password Grant” option (for ‘User’ role) in Administration → Globals → Connectors did not help. Attempting the password grant resulted in 400 Bad Request with {"error":"unsupported_grant_type", ...}. (This option has since been disabled again).

  3. Authorization Code Grant Fails Immediately: This seems like the most standard way, but it fails right at the beginning.

    • I registered a new confidential client (“Agent Orchestrator”) via Administration → API Clients.
    • Redirect URI is set exactly to http://localhost/callback.
    • Requested Scopes are openid, fhirUser, offline_access.
    • The client is Enabled.
    • When I try to access the authorization endpoint in the browser using the correct, newly generated Client ID and matching Redirect URI:
      http://<MY_OPENEMR_IP>:8300/oauth2/default/authorize?response_type=code&client_id=<MY_NEW_CLIENT_ID>&redirect_uri=http%3A%2F%2Flocalhost%2Fcallback&scope=openid+fhirUser+offline_access
    • Instead of seeing the login page, I immediately get the error:
      {"error":"invalid_client","error_description":"Client authentication failed","message":"Client authentication failed"}

Troubleshooting Steps Taken:

  • Verified the Client ID in the URL exactly matches the registered (and enabled) client.
  • Verified the Redirect URI in the URL exactly matches the registered Redirect URI (http://localhost/callback).
  • Tried clearing browser cache.
  • Checked Apache error logs (/var/log/apache2/error.log inside the container) - nothing relevant found, even with LogLevel debug.
  • Checked PHP error settings (error_log is not set, errors should go to Apache log).
  • Checked OpenEMR logs via UI (Administration → System → Logs) - nothing relevant found.

Question:

  • Is there a known issue or specific configuration required for OAuth 2.0 grants (especially authorization_code) in OpenEMR 7.0.2 Docker installs?
  • Why would the /authorize endpoint return invalid_client immediately when the Client ID and Redirect URI seem correct and match the registration? Could there be another configuration conflict (e.g., base URL, virtual host setup within Docker)?

Any help or pointers would be greatly appreciated! We are currently blocked from proceeding with API integration.

Thank you!Operating System*
I’m using:

Search
Did you search the forum for similar questions?

Logs
Did you check the logs?
Was there anything pertinent in them?
Please paste them here (surround with three backticks (```) for readability.
You can also turn on User Debugging under Administration->Globals->Logging User Debugging Options=>All