Oemr standard API is not working

Hi

We are seeing some issues with using standard API. When we use Scope (user/Appointment.read) as defined to get the token then it generates the token & it generates the db entry in the oauth3 table but since routes (/api/appointment, user/appointment.read) is in smaller letter, when we use the token the token to call the API it throws unauthorized access.

From what we can see scope and route should have similar Letter case.

We tested this with making route (/api/Appointment, user/Appointment.read) upper case then it worked.

Regards
Gaurav

Standard api uses the lowercase scope names. user/appointment.read is the scope you are wanting. The standard api predates the FHIR apis and we didn’t change their names due to legacy support. So the API is not broken, your just using the wrong scope.

Uppercase scopes are for the FHIR apis and are required to be that way to be interoperable with other FHIR systems.

Hi ,

Thank you very much for your reply. We tried with smaller case as well. With user/appointment.read

we get following error

Your help is very much appreciated.

Thank you

Regards
Gaurav

I don’t have enough information to debug your request. What are the scopes you registered your client with? Is this a public or confidential client?

Have you turned on the debug api logs and looked at your apache error logs to see why it is giving you the 401 unauthorized.

Dear Stephan ,

Thank you for your reply.
How to enable the debug API log ?

Its a confidential client.

Token generated using this scope

It creates a DB entry but if you notice its missing scope user/appointment.read , since we generated token using all smaller case.

I am attaching image in the next reply & if we use the token generated it gives 401 error.

Please let me know if you need additional information

Regards
Gaurav

It creates a DB entry but if you notice its missing scope user/appointment.read , since we generated token using all smaller case.

Look in the MySQL table oauth2_clients and look at the scope field. If you didn’t register your oauth2 client with the user/appointment.read scope it will remove it from the access token if you request it. You can add the scope there in the table if you want to keep using the same client.

Debugging can be enabled in Admin → Config → Logging → System Error Logging Options.