Password access token not working for patient user_role (API)

Hello there,

So I’ve been using the endpoints for OpenEMR only for user_role=users.
Recently I’ve enabled Patient Portal and created credentials for one patient.
I’m trying to receive an access token using the following endpoint:

POST:http://192.168.1.10:8300/oauth2/default/token
H: Content-Type: application/x-www-form-urlencoded
B: grant_type: password
client_id: JEe4Ja5yh3P9E0kGOv5tGOhtllKK0LSJqopbpGPs5YE
user_role: patient
username: test
password: test
email: test
scope: openid

and I get this response, even though these credentials are working in Patient Portal UI

    "error": "invalid_grant",
    "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
    "hint": "Failed Authentication",
    "message": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}

Any idea on what I’m doing wrong?
I should mention I’m just a junior developer, so in case you think “for sure it’s not that, he would have been checking that”, please reconsider and let me know about any idea.

Edited: using admin account and user_role=users works just fine

Thank you!

hi @dudu3000, which OpenEMR version?

Hello,

I’m using it directlly from repository, so I guess is the latest one (using Docker).

I have the same issue. Trying to access the token using the following request

curl -X POST -k -H ‘Content-Type: application/x-www-form-urld’ -i ‘https://mysite.com/oauth2/default/token’ --data ‘grant_type=password&client_id=xxxxxx&scope=openid%20api%3Aport%20api%3Apofh%20patient%2Fencounter.read%20patient%2Fpatient.read%20patient%2FEncounter.read%20patient%2FPatient.read&user_role=patient&username=patient1@gmail.com&password=xxxx&email=patient1@gmail.com’

Here I used the patient credential from the patient portal. As @dudu3000 mentioned it works for user_role=users.

@dudu3000 did you resolve this issue?

Check that your Globals -> ‘Enable OAuth2 Password Grant (Not considered secure)’ is set to allow patient role’s to have access.

Thank you @adunsulag for the quick response. I tried both and only patient. Non of them worked, and got the same massage

{“error”:“invalid_grant”,“error_description”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”,“hint”:“Failed Authentication”,“message”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”}

Can you post some of your logs? In Globals -> logging make sure to change the logging from standard to Debug.

I am running the application in a docker. Docker does not show any error massage. In the /var/log/apache2/error.txt I found this:
[] []
[> Tue Sep 21 02:00:33.656707 2021] [php7:notice] [pid 1887] [client 98.10.59.206:60644] [2021-09-21T02:00:33.656667+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() OAuthServerException occurred {“message”:“Bad request”,“stack”:"#0 /var/www/localhost/htdocs/openemr/oauth2/authorize.php(73): OpenEMR\\RestControllers\\AuthorizationController->oauthAuthorizeToken()\n#1 {main}"} []

[Tue Sep 21 02:00:42.150306 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.149284+00:00] OpenEMR.DEBUG: oauth2 request received {“endpoint”:"/default/token"} []
[Tue Sep 21 02:00:42.155230 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.155189+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() starting request [] []
[Tue Sep 21 02:00:42.158553 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.158512+00:00] OpenEMR.DEBUG: AuthorizationController->getAuthorizationServer() creating server [] []
[Tue Sep 21 02:00:42.160941 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.160903+00:00] OpenEMR.DEBUG: AuthorizationController->getAuthorizationServer() grantType is authorization_code [] []
[Tue Sep 21 02:00:42.163238 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.163198+00:00] OpenEMR.DEBUG: AuthorizationController->getAuthorizationServer() authServer created [] []
[Tue Sep 21 02:00:42.163661 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.163622+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() OAuthServerException occurred {“message”:“Bad request”,“stack”:"#0 /var/www/localhost/htdocs/openemr/oauth2/authorize.php(73): OpenEMR\\RestControllers\\AuthorizationController->oauthAuthorizeToken()\n#1 {main}"} []

Interesting is, when I changed Globals -> ‘Enable OAuth2 Password Grant (Not considered secure) to only patient, the patient portal does not work, need to do both. Does it mean, it is considering the patient as a user?

Thank you !

I registered the client using “application_type”: “private”. According to this script https://github.com/openemr/openemr/blob/c78ecab177e0158c609acd3b07d6e5f653fe491e/src/RestControllers/AuthorizationController.php#:~:text=%24params%20%3D%20array(,validateScopesAgainstServerApprovedScopes(%24data[‘scope’])%3B (line 186 -240) application type private forces the

client_type = user

Is this the reason that I cannot access tokens from

user-role= patient
?.