Oh, gosh, I know I messed with this at some point… right, here we are.
This closed GitHub issue discusses this topic. If you take a look at the current Apache config you’ll find the rotatelogs pipe I talked about, and it should be possible to arrange something reasonable from there.
I added the api:fhir scope, but it didn’t change the outcome.
It appears there is a bug in Postman such that I can’t see /authorize request that is sent. So I can’t verify whether the state parameter is sent. But being that it’s a required part of the OAuth flow I assume it’s there. The state param is not sent on the /token request which I can see - nor should it be required for OAuth to my (novice) understanding.
I downloaded Postman to see if I could reproduce your problem (I use Insomnia now since Postman has moved to requiring a cloud connection). I’m guessing you are not putting in a value for the State parameter in your authorization flow. When I leave that field blank as you have it in your screenshots above the requests fails like you’ve described. Putting in a random value allows the flow to go through.
We can probably improve the error messages here, but we do require the state parameter is present. Its not a required field for OAuth but for our OpenEMR installations we require the state parameter so that clients can know that the request comes from us.
Ugh… at least it was something simple. Sorry to have used up some of your time, but very much appreciate the help.
Cheers.