Developing the "OCL for OpenMRS" Application

The API seems to be expecting some kind of hashed password.

@hadijah315, @waweru, it turns out you have discovered the first place where we’re going to need to make a change to the OCL REST API.

I just had a skype chat with @paynejd which I will summarize here:


Currently OCL has some tech debt, where they redundantly store user accounts across the web and API. The OCL REST API actually only supports token-based authentication. ocl-web allows you to log in with a username and password, and get the token. However we are not using ocl-web, so we need to make some changes…

Quick hack to do now

  1. Change the login screen in our new UI so that instead of asking for a password, it asks for a token.
    • of course this is terrible UI design; it’s only temporary to unblock us.
  2. For now a user would need to log into the existing ocl-web application (at and copy-paste their API token. (If you log in, and look at your account, it’s on the bottom left as “API Token:”.)
  3. Our application should use this token when making all the REST calls

Longer-term fix

Need to add a way to authenticate to the REST API using username and password.

  1. Is there someone on the team with some python/django experience who could look into how we’d solution this?
  2. Once we have an approach in mind, propose it as a new topic on this forum, to make sure that other stakeholders are okay with the API change.
  3. Then we can implement it.

@darius how is the token generated for the ocl-web, having an idea might lead to us borrowing a leaf when doing it on the api.

I don’t know the answer to this. (I don’t actually know python or django, and I have only occasionally peeked at the OCL codebase.)


Thanks @darius, i am going to try with the token and see how that goes. As for changes in the API , I believe it is something small to change in the login controllers, I will first go deep into that and the get back to you.

1 Like

The token is generated from the user id and there is a file called you @waweru can look at it to understand.

1 Like

Check that file

Hello @darius I have tried with a token but the error is the same, maybe I could get on a call with @paynejd , you and @dkayiwa so that I can know exactly how the token has to work .

@hadijah315 are you trying the “quick hack” that I mentioned a few hours ago?

With my browser I went to (where I already have an account, but you could create one), and I looked at my account page, and copied the API token from there.

Then I can do this in postman (or whatever tool): GET (with the header Authorization: Token TOKEN_VALUE) and I get back a result.

For dev purposes I would actually do this against, not against the production server.

If you’re questioning how to get this set up in a local dev environment, I see some instructions at which include a docker environment where you can specify the root user’s token, which should be good enough for short-term, until we can do the longer-term fix.

Ok thanks let me do that

Yes it has worked I have also received the data with the GET: and Authorization. Thanks

One clarification that may help: An API token is assigned to a user account when it is first created and it does not change after that. Like Darius said, you can find your token on your user profile page in OCL-WEB. There is no way to change your token through the web or API at this time.

Let me know if any questions and I’ll try as best as I can to answer!

1 Like

If we can find a way to store this token as a configuration for now, it would probably avoid this workflow of having to login into and copy-paste the API token each time the user wants to login. …and this would perhaps be an alternative way of authenticating to OCL for our application for now.

We can choose to store the API key as a Global Property in OpenMRS but that would mean that users would be using a common account configured on the OpenMRS server to authenticate to the ocl-web application. …or we can find ways to store the key as a user property and each user would somehow be using his/her own account (…in both ways, the OCL accounts will not be private as the corresponding OCL API keys will be easily accessible through OpenMRS).

1 Like

Note: I strongly suggest that you make the infrastructure request to ASAP, because it’s going to take time to work through this, and we need to do that before we’ll have any public demo.

@darius We already did that, the process has already began.

In connection to the above, here is a Doodle link for the probable demo dates for the Sprint One OCL for OpenMRS.

Kindly vote for the most appropriate time and date which is more preferable for you, the most popular time period will be the one we will use for the demo. Anybody can join us as we make an awesome product driven by the feedback from the community.

@hadijah315, do we have a JIRA ticket to capture this?

1 Like

Not yet I still had two tickets and PR’s but I have reached somewhere researching on how best we can do that, maybe we shall put the ticket in the next sprint and we shall have a sync about it

1 Like

@hadijah315, right I’m not suggesting that it’s urgent, I just want to make sure that it’s captured in a ticket so that we remember to talk about it on the demo/showcase and make a plan.

Alright thank you