Scope user/document.read and user/document.write not available while registering API Client

soban.momin · April 22, 2025, 7:40am

Situation
The scopes “user/document.read” and “user/document.write” are not available while registering API Client.

OpenEMR Version
I’m using docker to run OpenEMR version 7.0.3

Browser:
Chrome version 124.0.6367.119.

Operating System
Windows 11 Pro

Logs
I don’t see anything in logs.

Please note I have enabled the following four options under Admin → Config → Connectors

Enable OpenEMR Standard FHIR REST API
Enable OpenEMR FHIR System Scopes (Turn on only if you know what you are doing)
Enable OpenEMR Standard REST API
Enable OpenEMR Patient Portal REST API (EXPERIMENTAL)

Any help will be aapreciated.

Nilesh_Hake · April 23, 2025, 7:24am

@soban.momin You have to update this scope into your database as well if you have already registered the client

soban.momin · April 23, 2025, 9:33am

@Nilesh_Hake I want to register a new client. Can you please guide me with the reference doc on how to add scopes to database?

Nilesh_Hake · April 23, 2025, 10:02am

@soban.momin Yes sure please send me email on below email id nilesh.hake@nbhhealthsoft.com

Qiaben · April 23, 2025, 12:07pm

Thought for 27 seconds

It turns out this isn’t actually a FHIR bug or a missing feature in your Docker image, but rather a quirk of the built-in “Admin → System → API Clients” UI: it doesn’t list every scope that OpenEMR supports by default. To work around it, you need to bypass the broken UI and register your client directly against the OAuth2 server.

Double‐check your Connector settings
In Admin → Config → Connectors, make sure you have:

Site Address (required for OAuth2 and FHIR) set to your OpenEMR base URI (e.g. https:///emr)

Enable OpenEMR Standard REST API

Enable OpenEMR Patient Portal REST API (EXPERIMENTAL) (if you need portal scopes)

Enable OpenEMR FHIR REST API (not strictly needed for the standard API scopes, but harmless)

Enable OpenEMR FHIR System Scopes (only for system-level FHIR scopes)
– and Save. citeturn2view0

Register your OAuth2 client via the registration endpoint
Open your browser’s Developer Console (right-click → Inspect → Console) and paste in a fetch call like the one below. Substitute https:///emr with your actual OpenEMR URL, and update redirect_uris/client_name as desired. Note how we explicitly include user/document.read and user/document.write in the scope string. citeturn3view0

(async() => {

const resp = await fetch(“https:///emr/oauth2/default/registration”, {

credentials: "include", 

headers: { "Content-Type": "application/json" }, 

method: "POST", 

body: JSON.stringify({ 

  application_type: "private", 

  redirect_uris: ["https://yourapp.example.com/callback"], 

  post_logout_redirect_uris: [""], 

  initiate_login_uri: "", 

  client_name: "My OpenEMR API Client", 

  token_endpoint_auth_method: "client_secret_post", 

  contacts: [ "devteam@example.com" ], 

  scope: [ 

    "openid", 

    "offline_access", 

    "api:oemr", 

    // include all the user/* scopes you need: 

    "user/appointment.read", 

    "user/appointment.write", 

    "user/document.read", 

    "user/document.write", 

    // …etc… 

  ].join(" ") 

})

});

console.log(await resp.json());

})();

That will print out a JSON object containing your new client_id and client_secret.

Enable the client in the Admin UI

Go back to Admin → System → API Clients.

You should now see “My OpenEMR API Client” in the list.

Click Edit, then toggle it Enabled, and Save.

After that, you’ll be able to request tokens with the document scopes:

curl -X POST https:///emr/oauth2/default/token \

-u client_id:client_secret \

-d grant_type=client_credentials \

-d scope=“user/document.read user/document.write”

and subsequently call your /api/document/… endpoints with those permissions.

adunsulag · April 23, 2025, 1:25pm

The UI is not broken. It was designed for FHIR client registration and only supports FHIR scopes. If anyone wants to ENHANCE the GUI registration they can add the other scopes and send us a PR.

The API Readme has the docs for registering directly with the server. A simple HTTP Post request using CURL, postman, whatever client you want will do the registration.

soban.momin · May 2, 2025, 10:13am

Thanks @adunsulag . I am able to access the documents scope by registering the client using API. It would be nice if you can put this in the documentation.

The UI is not broken. It was designed for FHIR client registration and only supports FHIR scopes.