Password access token not working for patient user_role (API)

dudu3000 · August 25, 2021, 12:38pm

Hello there,

So I’ve been using the endpoints for OpenEMR only for user_role=users.
Recently I’ve enabled Patient Portal and created credentials for one patient.
I’m trying to receive an access token using the following endpoint:

POST:http://192.168.1.10:8300/oauth2/default/token
H: Content-Type: application/x-www-form-urlencoded
B: grant_type: password
client_id: JEe4Ja5yh3P9E0kGOv5tGOhtllKK0LSJqopbpGPs5YE
user_role: patient
username: test
password: test
email: test
scope: openid

and I get this response, even though these credentials are working in Patient Portal UI

    "error": "invalid_grant",
    "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
    "hint": "Failed Authentication",
    "message": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}

Any idea on what I’m doing wrong?
I should mention I’m just a junior developer, so in case you think “for sure it’s not that, he would have been checking that”, please reconsider and let me know about any idea.

Edited: using admin account and user_role=users works just fine

Thank you!

stephenwaite · August 25, 2021, 4:41pm

hi @dudu3000, which OpenEMR version?

dudu3000 · August 31, 2021, 8:35am

Hello,

I’m using it directlly from repository, so I guess is the latest one (using Docker).

Hari_Khanal · September 20, 2021, 8:20pm

I have the same issue. Trying to access the token using the following request

curl -X POST -k -H ‘Content-Type: application/x-www-form-urld’ -i ‘https://mysite.com/oauth2/default/token’ --data ‘grant_type=password&client_id=xxxxxx&scope=openid%20api%3Aport%20api%3Apofh%20patient%2Fencounter.read%20patient%2Fpatient.read%20patient%2FEncounter.read%20patient%2FPatient.read&user_role=patient&username=patient1@gmail.com&password=xxxx&email=patient1@gmail.com’

Here I used the patient credential from the patient portal. As @dudu3000 mentioned it works for user_role=users.

@dudu3000 did you resolve this issue?

adunsulag · September 20, 2021, 9:13pm

Check that your Globals -> ‘Enable OAuth2 Password Grant (Not considered secure)’ is set to allow patient role’s to have access.

Hari_Khanal · September 21, 2021, 1:40am

Thank you @adunsulag for the quick response. I tried both and only patient. Non of them worked, and got the same massage

{“error”:“invalid_grant”,“error_description”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”,“hint”:“Failed Authentication”,“message”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”}

adunsulag · September 21, 2021, 1:54am

Can you post some of your logs? In Globals -> logging make sure to change the logging from standard to Debug.

Hari_Khanal · September 21, 2021, 2:16am

I am running the application in a docker. Docker does not show any error massage. In the /var/log/apache2/error.txt I found this:

[> Tue Sep 21 02:00:33.656707 2021] [php7:notice] [pid 1887] [client 98.10.59.206:60644] [2021-09-21T02:00:33.656667+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() OAuthServerException occurred {“message”:“Bad request”,“stack”:“#0 /var/www/localhost/htdocs/openemr/oauth2/authorize.php(73): OpenEMR\\RestControllers\\AuthorizationController->oauthAuthorizeToken()\n#1 {main}”}

[Tue Sep 21 02:00:42.150306 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.149284+00:00] OpenEMR.DEBUG: oauth2 request received {“endpoint”:“/default/token”}
[Tue Sep 21 02:00:42.155230 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.155189+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() starting request
[Tue Sep 21 02:00:42.158553 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.158512+00:00] OpenEMR.DEBUG: AuthorizationController->getAuthorizationServer() creating server
[Tue Sep 21 02:00:42.160941 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.160903+00:00] OpenEMR.DEBUG: AuthorizationController->getAuthorizationServer() grantType is authorization_code
[Tue Sep 21 02:00:42.163238 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.163198+00:00] OpenEMR.DEBUG: AuthorizationController->getAuthorizationServer() authServer created
[Tue Sep 21 02:00:42.163661 2021] [php7:notice] [pid 1912] [client 98.10.59.206:60646] [2021-09-21T02:00:42.163622+00:00] OpenEMR.DEBUG: AuthorizationController->oauthAuthorizeToken() OAuthServerException occurred {“message”:“Bad request”,“stack”:“#0 /var/www/localhost/htdocs/openemr/oauth2/authorize.php(73): OpenEMR\\RestControllers\\AuthorizationController->oauthAuthorizeToken()\n#1 {main}”}

Interesting is, when I changed Globals -> ‘Enable OAuth2 Password Grant (Not considered secure) to only patient, the patient portal does not work, need to do both. Does it mean, it is considering the patient as a user?

Thank you !

Hari_Khanal · September 25, 2021, 12:42am

I registered the client using “application_type”: “private”. According to this script openemr/src/RestControllers/AuthorizationController.php at c78ecab177e0158c609acd3b07d6e5f653fe491e · openemr/openemr · GitHub (line 186 -240) application type private forces the

client_type = user

Is this the reason that I cannot access tokens from

user-role= patient
?.