OpenID Connect Provider Configuration

brad · May 24, 2023, 4:44pm

I was looking at how to configure openEMR as a OpenID Connect Proivder in Azure AD B2C. On the surface it looks pretty simple but I don’t see where to find the information in openEMR configuration or even if I’m thinking the right way about it.

Here is what azure is asking for to set it up:

Metadata url => URL of the OpenID Connect discovery metadata document. Must start with “https://” and end with “/.well-known/openid-configuration”

Response type => Code or id_token

Domain Hint =>domain_hint is used on the /authorize endpoint to automatically select the provider instead of showing the sign in page

Anybody have an ideas?

adunsulag · May 24, 2023, 6:52pm

The following URL should give you the openid-configuration.
https://localhost:9300/oauth2/default/.well-known/openid-configuration

The code pathway hits the /oauth2/.htaccess for the rewrite rules which forwards onto /oauth2/authorize.php Line 77 is where it passes into the openid-configuration piece.

I believe Code must be referring to the authorization_code grant? We also support id_token.

As for domain_hint I’m not familiar with that. @sjpadgett wrote most of this code so he might be able to help here, he’s been out this week for personal issues though.

brad · May 24, 2023, 6:58pm

where would I get the ClientId and Secret? I looked at creating those in the openEMR configuration but looked like it was for the other direction; as in giving an application access into openEMR and I don’t think I want that.

adunsulag · May 24, 2023, 7:03pm

You will need to register a confidential client inside the OpenEMR installation, as part of your module you could generate one automatically as part of the installation. The client created inside OpenEMR will be used to make an API request to OpenEMR using the client_id and client_secret to get back a JWT with the individual claims (in the id_token) you need to get the user data.

For testing purposes, just generate a confidential client using the tools and make sure to enable it from the gui.

adunsulag · May 24, 2023, 7:59pm

To further clarify, you need to get identity information about the current user inside OpenEMR, Azure AD B2C will connect to OpenEMR using your application’s generated client_id and client_secret in order to get the identity information about the chosen user. What I don’t see listed there in your screenshot is what the redirect_uris will be that Azure AD B2C will use or if that is somehow configured as part of your SDK integration in your apis.

Hope that helps clarify things.