V6 Authorization and API changes afoot

@VeniVidiVici the scope you registered with do not match the scope you are logging in with fix that and try again.

1 Like

Hi @benmarte, thank you for the suggestion.

I updated my request as suggested (with the scope matching the registration)

curl -X POST -k -H ‘Content-Type: application/x-www-form-urlencoded’ -i ‘http://localhost/oauth2/default/token’ --data ‘grant_type=password&client_id=Nc0A6QG70aY8mEJa4WkmFcb–q1zV7otwowWfUmsNmM&username=admin&password=pass&user_role=users&scope=openid api:oemr api:fhir api:port api:pofh user/allergy.read user/allergy.write’

But unfortunately I still get the same error message

HTTP/1.1 400 Bad Request
Date: Sun, 07 Feb 2021 18:51:40 GMT
Server: Apache
Set-Cookie: authserverOpenEMR=QigaCW51yxJSGIzMWtmrkmvXDs3GIuenulLROd-g1LaogUK1; expires=Mon, 08-Feb-2021 02:38:20 GMT; Max-Age=28000; path=/oauth2/; secure; HttpOnly; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, authorization, accept, content-type, x-requested-with
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Access-Control-Allow-Origin: *
Set-Cookie: authserverOpenEMR=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/oauth2/; secure; HttpOnly; SameSite=None
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
Content-Length: 566
Connection: close
Content-Type: application/json

{“error”:“invalid_grant”,“error_description”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”,“hint”:“Failed Authentication”,“message”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”}

You only have 10 seconds to make the token request after receiving the authorization code!
So doing this with curl is tough unless you’re using Postman or other…

1 Like

Thank you @sjpadgett, I just tried all over again (new registration) using fiddler (within 10 sec) but I’m still stuck with the error message unfortunately.

{“error”:“invalid_grant”,“error_description”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”,“hint”:“Failed Authentication”,“message”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”}

This is password grant so, no authorization code.
You sure you have password grant turned on in Globals? Otherwise even though I allowed the password grant begrudgingly, I won’t support its use.
I know, mean but, that’s how strongly I oppose its use :slight_smile:

This is my current setup, I hope I didn’t miss anything. I looked at older post to make sure everything looked ok.

Looking at this now on my PC so is your instance running on AWS? This might be a CORS issue since you are trying to access it from localhost.

Can you provide more details about your setup and how you are trying to access it, what are you hosting on localhost:300 your own app that will consume the API I assume.

Hi @benmarte,

Yes I am using a AWS instance. For my API tests, I was running everything directly from the AWS server itself (through ssh).
Then @sjpadgett mentioned the 10 second limit so I starting testing my queries from Postman. Postman is running from my machine (not AWS).
I think I should be able to give in another shot (registration and token generation within 10 seconds) from one AWS ssh session if that helps.

what are you hosting on localhost:3000 your own app that will consume the API I assume.

Correct.
I just used an Open EMR Cloud Express (AWS) v6.0.0 so my setup should be fairly standard.
Everything looks fine so far, I’m just trying to make sure I’m able to access my data through APIs.
Please let me know if I can provide any additional information and again thank you all for your help !

What is your app based off of? Does it have any sort of proxy you can use to connect to your AWS instance? You might need to make some changes to your httpd.conf and setup proxying for you app if you are using create react app there’s a few ways to do this but look into whatever framework you are using as it might be different.

Since I’m testing for now I used a simple local .net 5 (core) app to consume the api. This app can run from anywhere, it is local now but it will live in its own space eventually.
My main concern is to make a simple curl or Postman request work as I’m trying to reach a point where I can demo how to interact with OpenEMR using APIs.

So how are you accessing your EC2 instance? Like I go to your ec2 URL: ec2-18-212-180-77.compute-1.amazonaws.com/oauth2/default/client/GkT5iv1cOmuCmmhn2vmFgw and nothing resolves so you need to fix that first before we can further help.

It’s IP sourced so only my IP has access. (For now since I’m testing).
I can open it up if that helps.

Nah thats fine as long as you are certain you can connect to it also make sure you use https as your API endpoint.

At this point I would just try to get it working with postman and once that works move on to your app because you will most certainly run into CORS issues.

@benmarte @sjpadgett would you have an example of Postman query (to retrieve an auth token) by any chance?
I was looking at the document that @benmarte put together here (https://benmarte.com/blog/openemr-api-v6/#void) since my setup will be very similar. my client app will not have any DB and therefore using grant_type:password makes sense for me.
I’m just trying to get one good example of either a curl or Postman request to retrieve a token using grant_type:password on v6.0
Once I see it working once I’m sure I can understand what I’m missing or doing wrong.

Thank you again guys !!

@benmarte looking at your document it seems like you are using some authentication in your Postman request to get a token. Could you share a screenshot maybe?

Have you checked your error logs in the openemr docker container? That would be your first step to start debugging I’m almost certain you are having CORS issues if you are testing directly from an EC2 instance.

Have you tried registering using the smartapp endpoint scopes? That’s what I ended up doing anyways instead of using all the scopes outlined in the readme I believe there was a scope that was causing an issue that’s included in the api example but I’m certain I removed it in my example.

Also enable error logging in administration > globals > logging and set system error logging to debug error logging that might help get an error that might help figure out what’s going on.

Remember just because you are ssh in to your ec2 instance via terminal does not mean your whole computer has access to your instance the only thing that has access to it is your ssh terminal just making sure you are aware of this.

Everything else I did I documented exactly as what I did, like I said I’m certain you are running into a CORS issue.

Hi @jerry/@sjpadgett,

I was exploring the FHIR Api support in OpenEMR version v6.1.0-dev hosted at https://eleven.openemr.io

Following your instructions for v6 OAuth authorization, I was able to cal the Token Api to get the access token for scope of “openid” and “api:fhir”. The response is as below.
{
“id_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJuT2hXcXdlRlZjWGh0ejJBaXBSTDNBVWNRNURSOWg1YmxNWWFmb2VCYk9vIiwiaXNzIjoiaHR0cHM6XC9cL2VsZXZlbi5vcGVuZW1yLmlvXC9vcGVuZW1yXC9vYXV0aDJcL2RlZmF1bHQiLCJpYXQiOjE2MTUyNzQ3MDIsImV4cCI6MTYxNTI3ODMwMiwic3ViIjoiOTJlNzczNWItZDI5Mi00NzQ5LTgyYTctODVjNjI4NmE0NGFiIiwiYXBpOmZoaXIiOnRydWV9.1w_U6Idtx26xiniTSIH7KoUOpOy4boF50mjAPnfDCjW0PH3tz_fZXxw3AIOSvn-o4zRsMFufBvBAZ9S_f7KBOoMmwwRYl7ckB1l5VK65wTCBUzDZpsg79uPneKeuAtSLC_BOzTni4xN8GSKn_qVo6AcOGfwG_Gmac8gXv8ag5HUWD_hscQMi9KbgFC17NWUWoCmfM_-vb6NJEGjOZEtsrPQllOKgA7cXC_CkjWDVVj5I-JT93jmhRtb6kDq30fCTm_doLFyL2MZQqOAPQCYZbxD7_Uxe8nVBTIOUAFd0kgWAVC_sn90A15q3SHGjkipRKXqLtsOECMMTEHciQSEP_w”,
“scope”: “openid”,
“token_type”: “Bearer”,
“expires_in”: 3600,
“access_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJuT2hXcXdlRlZjWGh0ejJBaXBSTDNBVWNRNURSOWg1YmxNWWFmb2VCYk9vIiwianRpIjoiOTFlYjE1M2I5YThmMmY5ODcxMzgwMGJjMDgzMmVlMmFkOGE5ZGYxNDQyMTM1NDM3OTgzYTA5NzVkNTI5NzRkNDAzMWQ3YjBmYjNjN2RhZWMiLCJpYXQiOjE2MTUyNzQ3MDIsIm5iZiI6MTYxNTI3NDcwMiwiZXhwIjoxNjE1Mjc4MzAyLCJzdWIiOiI5MmU3NzM1Yi1kMjkyLTQ3NDktODJhNy04NWM2Mjg2YTQ0YWIiLCJzY29wZXMiOlsib3BlbmlkIiwiYXBpOmZoaXIiLCJzaXRlOmRlZmF1bHQiXX0.m4DW02iPFMVokR8Qm1CpYziAj2H1qod94jcfS7oxxgYQlze5un45aATpc31HeagpyyxqOORlqQ93Cce-W_USfSpatswyOCzRUULWFCuZhKc9bGkGs5qaziHLUrrTcbUbhUd6w8pJZqdR-9sVHrc_EOpka5g17Tnjp94LFpLAVu7w58AQN5aCwBIjk0CcS_AOThq9VCPbL7KmPmWgE4blGgCkEMYs2K_j9ip53SYwXdyoJ_NLvCSFd0nNcL-wt8dtsUYv15GjJhLZUvm3W35sezV62HhuWx0RdWdme_tOvtXSaj3Jp8fTALJ2uM4h7UOvxCWY-Xkzw_csDzEESTd9FQ”
}

I then tried to post a patient using the FHIR Api endpoint as in your example first by using the access_token value as authorization bearer token but the response is 401 unauthorized.
I don’t see any related error log entries for this action except for this line which I think is logged when trying to get code while logging.

[09-Mar-2021 07:43:34 UTC] PHP Warning: Undefined array key “nonce” in /var/www/localhost/htdocs/openemr/src/RestControllers/AuthorizationController.php on line 584

Then I tried the Id_token value as authorization bearer token and in this case the response is a 500 internal server error.

The error log file has the following entries in this case
[09-Mar-2021 07:47:19 UTC] PHP Warning: foreach() argument must be of type array|object, null given in /var/www/localhost/htdocs/openemr/apis/dispatch.php on line 75
[09-Mar-2021 07:47:19 UTC] PHP Fatal error: Uncaught TypeError: OpenEMR\Common\Http\HttpRestRequest::setAccessTokenScopes(): Argument #1 ($scopes) must be of type array, null given, called in /var/www/localhost/htdocs/openemr/apis/dispatch.php on line 83 and defined in /var/www/localhost/htdocs/openemr/src/Common/Http/HttpRestRequest.php:257
Stack trace:
#0 /var/www/localhost/htdocs/openemr/apis/dispatch.php(83): OpenEMR\Common\Http\HttpRestRequest->setAccessTokenScopes(NULL)
#1 {main}
thrown in /var/www/localhost/htdocs/openemr/src/Common/Http/HttpRestRequest.php on line 257

Please let me know what is missing or wrong and what should be changed so as to be able to get the FHIR Api call to work.

Thanks
Rajesh

Hi @jerry/@brady.miller

In continuation with exploring FHIR Api support and the issue mentioned in previous post, i again tried Oauth2 authorization and FHIR Api access on the demo sever at https://demo.openemr.io.

Here again i was able to get the Authorization_Code as below, the only thing noticeable was the scope value of “openid” even though the registration was for a scope of “openid api:fhir api:oemr”

Token Response:
{
“id_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI4Rndobl9rWDdxWkZzNHR0WC1GUXVCMEptd3dkUG1vZTNkbmlianhnODFJIiwiaXNzIjoiaHR0cHM6XC9cL2RlbW8ub3BlbmVtci5pb1wvb3BlbmVtclwvb2F1dGgyXC9kZWZhdWx0IiwiaWF0IjoxNjE1Mzc0MDA4LCJleHAiOjE2MTUzNzc2MDgsInN1YiI6IjkyZWE5ZGRiLTVkZjYtNDJjMC04ZWZhLTJjYTc5ZjU2NDVlNSIsImFwaTpmaGlyIjp0cnVlLCJhcGk6b2VtciI6dHJ1ZX0.XL8BT441HCDvB32VA7quA2VY2MfcvyxsSHMGIdzcPJFNSNQpY5udoPo8doVPU6KHRLxBq6qsVaH0T5P-7sKsKijGibz2EuzSrjJFAVfoLjuiyTITsrj7NOJJb_Jp5KImWCdEZeno_G58UXk8BpnF3L-KfSn7rOeXiOibE2z9Ge3TRR5npy0N3DP4tmePeIMZ8O7es7SJsqf1F6HLGg5bwEbPbFSQK5suUPXqFx-nBgngU0uWopAqzZiXx1Rz3eXDdksvdavkRj8fOoT23ex3AWzpf2aMIuLYDiYcQhiW4BAXbESiJOmEN3txYWdb415HsnJ35Otezwrz7DWZjo6NfQ”,
“scope”: “openid”,
“token_type”: “Bearer”,
“expires_in”: 3600,
“access_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI4Rndobl9rWDdxWkZzNHR0WC1GUXVCMEptd3dkUG1vZTNkbmlianhnODFJIiwianRpIjoiNDg4NzVmZDQwYWI1MWQ1OThjMzkyMDBkN2UxZWY2ZDczMWIyY2EwN2FiMjg5ZmE4NzExYjUzMTIwMWRkNjlkYzIzZjBhNWQxZGNkYzVjYzciLCJpYXQiOjE2MTUzNzQwMDgsIm5iZiI6MTYxNTM3NDAwOCwiZXhwIjoxNjE1Mzc3NjA4LCJzdWIiOiI5MmVhOWRkYi01ZGY2LTQyYzAtOGVmYS0yY2E3OWY1NjQ1ZTUiLCJzY29wZXMiOlsib3BlbmlkIiwiYXBpOmZoaXIiLCJhcGk6b2VtciIsInNpdGU6ZGVmYXVsdCJdfQ.VHTovxvh2K–4LhOsdC6dM0UuOyr_7bIuWChczN5VZJgIRYyD1x-5dJ5gct-mX8n64gagOHUCvjD5q0gXm9hB2ZFmc7JAuc2i2OaKlCJncExrp43v-mYXORtUSl30e5S3nFGCy6hADe7uv20Vb2VLSR5SA8qsDuBWQVkIWYuFVdSjIOws57gnQE1MIAkUzOBD92Zud-ioG78o_1gvT4wh4F2b_Kw1BEco2bh25Zw7OOlvyLys7dC8woCjL2U0w-ezcCfmceRWv9B6Z3-gDZ8OGCui9MwYT738FkYbDry109YNCiVBUar3mbCsWApNAYnLciL7NQLizq8BcS6-bCQSA”,
“refresh_token”: “def502005d88a129c0de1cd0d8b1570ab610fe120814346d06d264c0f8008d4cd6a53966b94a02de029e2d2ee5578fde5527071dc7b1c2db792b8d17e144773c8c0b460687eb9dfbf48a19f730a36e9ae115a2381055aa6703a1d0bcf0b40e3584dc4ecdefcde14c2cb1d620508e0f721c8bd84731e5de7b890f029d59d5f0d6c65685452999ce1d196ee7dad9037a3a6dbb87a2d602291783369c70bdbfa22c839cd81a7add63de43e012c9ffe00ade49196e30989508eacc1d2ff86d856f053501c9226d8513ff74eef1fdfb68fb3397be1a66d3fe7346d1ed46a59623e9dc2c23bd389316b1a937c150384131edadc755db4407a8a6423d54c9fb78886850f8c5232846aeed8b1fb1db02d202f2cf92820a97fc8259a7c8360368fedb52b3926d049f934ee509eba928decfaececbd0b47bd050ef56d7473a3e67596fffe95d5fe561069fcbad62cf2d04581f4f7fbc4a58e0af54e7fa22e4531cd8b9e06849ab105bb7a6188c28a8a5c76a333085d92cda7ef376e01d35f8fc7ae74f29087bc6893f4ab7490a077f54ff49c40835267de24b0cbbfd1d295c8f3ce2675d26a5bf62e201d82b3180b1a9316a75d794c9243d2fc4babe37235acca69b2b138adc431abb2d6966d5cbd72708fa44555cc2117b26a321a8d8d49a6ea560”
}

Next I tried pulling to make the FHIR patient api call passing the bearer token as authorization header but get the 401 unauthorized error.

On checking the php log on the server at https://one.openemr.io/log/logPhp.txt it shows the following entry for each FHIR patient request I made.

[10-Mar-2021 11:22:01 UTC] PHP Fatal error: Uncaught LogicException: Key path “file:///var/www/localhost/htdocs/a/openemr/sites/default/documents/certificates/oapublic.key” does not exist or is not readable in /var/www/localhost/htdocs/a/openemr/vendor/league/oauth2-server/src/CryptKey.php:52
Stack trace:
#0 /var/www/localhost/htdocs/a/openemr/vendor/league/oauth2-server/src/ResourceServer.php(50): League\OAuth2\Server\CryptKey->__construct(‘file:///var/www…’)
#1 /var/www/localhost/htdocs/a/openemr/_rest_config.php(201): League\OAuth2\Server\ResourceServer->__construct(Object(OpenEMR\Common\Auth\OpenIDConnect\Repositories\AccessTokenRepository), ‘/var/www/localh…’)
#2 /var/www/localhost/htdocs/a/openemr/apis/dispatch.php(59): RestConfig::verifyAccessToken()
#3 {main}
thrown in /var/www/localhost/htdocs/a/openemr/vendor/league/oauth2-server/src/CryptKey.php on line 52

From the error it seem the publicy key certificate file is not accessible for some reason.

Please check the issue and fix.

Thanks,
Rajesh Maurya

Hi @jerry/@sjpadgett/@brady.miller,

I repeated my FHIR Api test at the instance https://demo.openemr.io.

Now when I call the FHIR patient Api (https://demo.openemr.io/openemr/apis/default/api/patient) i still get the 401 unauthorized error, but the error logged in the log file is different now.

Below is the extract of the error from the log file.

[15-Mar-2021 06:43:26 UTC] OpenEMR Error - api site error, so forced exit
[15-Mar-2021 06:46:27 UTC] OpenEMR Error - api site error, so forced exit
[15-Mar-2021 06:49:28 UTC] OpenEMR Error - api site error, so forced exit

I am also posting below the steps and related details I performed to get the access token.

1) Register
url: https://demo.openemr.io/openemr/oauth2/default/registration
post date:
{
“application_type”: “private”,
“redirect_uris”:[“https://client.example.org/callback”],
“post_logout_redirect_uris”: [“https://client.example.org/logout/callback”],
“client_name”: “FHIR Client”,
“token_endpoint_auth_method”: “client_secret_post”,
“contacts”: [“rmaurya@switchlane.com”],
“scope”: “api:fhir api:oemr openid”
}
Response:
{
“client_id”: “6Za3GjlERIyw5GM-ZXL6WjSqMUwITUdJ9ra_5br4R8g”,
“client_secret”: “Pv0GmUifie7vr5QqgJ-T7cEkiPKXblRSzQASmd7dPTR887fgjQ9jx_dP_tmO9qu8dfQgpl1Zi3OzefTyqFq-hA”,
“registration_access_token”: “IndIDVyC1xY77i_ypxQaTOqBKpXfBDiIRcEKV4w9FQ8”,
“registration_client_uri”: “https://demo.openemr.io/openemr/oauth2/default/client/VnS0mFWrRZOI830IURy3Gw”,
“client_id_issued_at”: 1615790537,
“client_secret_expires_at”: 0,
“client_role”: “user”,
“contacts”: [“rmaurya@switchlane.com”],
“application_type”: “private”,
“client_name”: “FHIR Client”,
“redirect_uris”: [“https://client.example.org/callback”],
“post_logout_redirect_uris”: [“https://client.example.org/logout/callback”],
“token_endpoint_auth_method”: “client_secret_post”,
“scope”: “api:fhir api:oemr openid”
}

2) Enable the API client

3) Authorize to get access code
url: https://demo.openemr.io/openemr/oauth2/default/authorize?response_type=code&client_id=6Za3GjlERIyw5GM-ZXL6WjSqMUwITUdJ9ra_5br4R8g&state=a95b970548dd8880ddb7c3192439f468fe63396f&scope=openid api:fhir api:oemr

scope confirmation:

Code Response:
https://client.example.org/callback?code=def5020044c5582138c51239881bc1f8695be369492672dfa2810a39af5a713fef9ed11b986d18879ec3a819b78a8772a3a6e92f62dd4fcd121b4c106774583bbcec8a5384d452f019bd68b9be07a59c3947ce558f9d2e9afed2f875408d1e469e1679c9d02f98756d3e44424a7817041d553be3b520135718e6f825a565a03d274e7ee19461197eeb04039cbeafb6d987aff16aee07fd5778a1565dc004d1ffbb3dcfb49722e832e67ea37298aa9a90e5894a0ad5461945aa7b4aaba7c78bd154786ef25544a01fa58cf01ee63d8b147550ab9dd7c59676e5677e76bb655936e5a18ebe10bc99abc5f90ed91921c995c89b6002929f63f350bb35344ffe821e306fa182d1a9e8529ef8c850a2513a31d150d720cd8892a73a015e5e391b4bde4c9d2027a1c229d4855e235ec0515aa8389604aaa4789c5543a4adb86ede5f797aa6656ab650589fd790fb7b82be11ba4a992a6f021abf509981be8f7f5d6277638a9801228f22c80ae4b6c44ca3dbed5bcf210c73d2a8251a549b0741f5efbd381adcc321307dbd17e774b905c747033583a0a70eef7039fefdee68fbb7e9e5202d2c9f54d7ea6f1e2fac4f&state=a95b970548dd8880ddb7c3192439f468fe63396f

4) Get Token
url: https://demo.openemr.io/openemr/oauth2/default/token
Post detail:

Response:
{
“id_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2WmEzR2psRVJJeXc1R00tWlhMNldqU3FNVXdJVFVkSjlyYV81YnI0UjhnIiwiaXNzIjoiaHR0cHM6XC9cL2RlbW8ub3BlbmVtci5pb1wvb3BlbmVtclwvb2F1dGgyXC9kZWZhdWx0IiwiaWF0IjoxNjE1NzkyNTE3LCJleHAiOjE2MTU3OTYxMTcsInN1YiI6IjkyZjJhOWM1LTJmNDctNDVhZC1iMTU0LTg0ODhlNmU1MjMxMyIsImFwaTpmaGlyIjp0cnVlLCJhcGk6b2VtciI6dHJ1ZX0.BQOb3FWyTnYbzQ533jxLZf1B2E0LU4rOYJwA-FOMSrovExTXS1qvMNPiC8nivcJ7vatKKt2WIYjAm3YpNvaKbczkINoCvaIN20C0kKypKabhbtCgJkODjBqbx2TLehIp3wSLV_2jzaTT4qtLYl9wMoTDKso6AD9d99YuBopzFp6OaQcBvGdMOrMYZEfouWJZoFO9LG7vY2KylYJbAXFQu1TFSu1PNDnGsy8DhvYVP1XV5ziLvKzGDbqJI71lvPEdGa3dONc_8Rv1C0xORZT39oiafd61Cw2ai8rl4U6v_EkRhFNletwLfjSvnkdD-TCKqCxysHY5K4AQLkE2IOg_cA”,
“scope”: “openid”,
“token_type”: “Bearer”,
“expires_in”: 3600,
“access_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2WmEzR2psRVJJeXc1R00tWlhMNldqU3FNVXdJVFVkSjlyYV81YnI0UjhnIiwianRpIjoiMDdjMWFlMTkxZWRhMmNmNzVhMTkyYmI1ODViZTYxZGQwZWIxMWM4YzU1ZWI3ZGUwM2U2ZGM1MDY2YjQ5NmM4MTM4YmJjOGUzOThiMjNkZjYiLCJpYXQiOjE2MTU3OTI1MTcsIm5iZiI6MTYxNTc5MjUxNywiZXhwIjoxNjE1Nzk2MTE3LCJzdWIiOiI5MmYyYTljNS0yZjQ3LTQ1YWQtYjE1NC04NDg4ZTZlNTIzMTMiLCJzY29wZXMiOlsib3BlbmlkIiwiYXBpOmZoaXIiLCJhcGk6b2VtciIsInNpdGU6ZGVmYXVsdCJdfQ.EmhOBYtcSvIiGvITn5y0bu0Ovd6XYkSb5Su11Y5dJjK2OkODfnFlssMHs3rVkPgrVWjgRktMDil5SE96xbCr16P8KN4ER38y7pcxp0wz1CXOFmJdE_e4fs3WtzE89tbgoiP_Eo0aMn-8osolANXM3sx3q-F30pQZkRnZwkj5bRoxv9JtTArYFD6ZPO60bkj_PMGS3nfNk-DewI0ST_P-9xOOi2IV2hUijTsmxDlEQahadhFdcqgmz4qgVQtP-cWVKH2x3a39icTCJyrYoUnmfSKcSLMYLepeipzkdt5XiDZsDmzPP-1LGlRGw6uqnKOmcxbD2qYrJ0Ub7RAuGijRvg”,
“refresh_token”: “def502004bd5669df42a6c8357edae5faba4b49a8e3ce0ec7a2a59e2a20b6edbbe589572ce3d3ee4259b4bbe16b78477a6ea1e0d01b6e7c0309a75682e3ad18baac6aa2c7c073831e81828cd1a4454616658a50071622d9d207508ef23456429c50dd3d7f2513a2d9ad83d7a34ffd3b2953f8fc3ab401b3702671521767e94e3f3326367e630849086625c540947414000eaaf83bb7f69309d5349c5d38818b027802e7235db0f5ca4a108de6dade6b992ccd9b97de853c601d79baccd144bb854ee73d29140bf7cd9e9218addc969f75e8a8b342a3192d1a04888b6d36aedc0256b2ff05977501ed6b14b961c5eb5e0fdbfaeded7935ae7749b33d8ced1b45bc26ca9b6a06548570d4e84d942850f722cc755a44f6db6f2e664954114f1b315bf161951e44591e9d18566a8489c06110ad84fe51a528791c6b43e0bb0bdb3fbdd5d14ed043c66a70b5c90e4da40eb19778be9816256ecbf23de96dcb249220dd04739e89e43256fcf19bac69dbffb0a6688b6dcb4769a9e1612f645b4f2a54c093e9c7510bbcc80a980eabc46ec17ef2f95e261ca4d81560d1f1d3ec0059f2deaf78695caf841593e8cf697a25a7d61b49693a8ef7a411a19402694bb9533bfe6ac89a6cc87d9b9db0cd6299ebb14fc9c07acc7c0da3021851b8a261f”
}

  1. FHIR Patient API access - with “access_token” as bearer token
    Url: https://demo.openemr.io/openemr/apis/default/fhir/Patient
    Response: 401 unauthorized

  2. API patient access - - with “access_token” as bearer token
    Url: https://demo.openemr.io/openemr/apis/default/api/patient
    Response: 401 unauthorized

Please let me know how we can access the FHIR Api using the Oauth2 access token.

Thanks,

Rajesh Maurya

hi @RajM ,

Your fhir request will require the user/Patient.read scope
Your api request will require the user/patient.read scope

Scopes are listed here for 6.0.0:
openemr/API_README.md at rel-600 · openemr/openemr · GitHub

1 Like

Also ensure you have the api:oemr scope for the api call and the api:fhir scope for the fhir call.