OAuth2 Single Sign-On (SSO) with the new OAuth 2.0 Login module

Dear all,

Since the resolution of TRUNK-381 it is possible to Spring-wire custom authentication schemes to OpenMRS Core, thereby overriding the default UsernamePasswordAuthenticationScheme.

I would like to present one use case using this new feature to achieve SSO using OAuth2 with the new OAuth 2.0 Login module:

I have made sure to ship it with an extensive set of READMEs that in particular explain how this can be done with JBoss Keycloak and Google API. Not sure if the latter will ever be used in production, but the former can definitely be.

Perhaps one day will we have our demo and QA servers letting us in with OpenMRS ID :slight_smile: , @cintiadr? I would be happy to help.

@angshuonline another use case would be for Bahmni to ship with Keycloak (or equivalent) and have SSO working across all its components.

This is still beta code and the module is awaiting a first release, I would like to invite all of you to test it and provide feedback.

Thanks to all who have made this possible, in particular:

  • @amine for the scouting and pioneering work.
  • @lilian for the usual insight and directions.
  • @dkayiwa for challenging our approach to TRUNK-381 and getting things merged in.

Cc: @bdr @sunbiz @dev2 @dev3 @dev4 @dev5


This is awesome! I am gonna look out for ways we can leverage this new authentication scheme into https://github.com/openmrs/openmrs-module-oauth2 which also uses UsernamePasswordAuthenticationScheme.

well … I’ve been poking around and scratching my head while staring at https://github.com/openmrs/openmrs-module-oauth2login.

To test this I've been using the Bahmni Virtual Box ([https://bahmni.atlassian.net/wiki/spaces/BAH/pages/14712841/Bahmni+Virtual+Box)](https://bahmni.atlassian.net/wiki/spaces/BAH/pages/14712841/Bahmni+Virtual+Box)
on my Linux laptop, along with the docker image of Keycloak.  I'm

now trying to figure out here to put the OpenMRS OAuth login module on the BAhmni Virtual Box. In reading the instructions found on github (), I’ve not found the “path” to install these files. I read: but I cannot find a directory that possesses the shown content: I’m confused after staring at the following directories: Cheers!


Inside the box, that’d be in /opt/openmrs/modules.

Are you looking at enabling SSO within Bahmni?


I am looking at enabling SSO within Bahmni, using Google as the

primary authentication source/provider. I’ll let you know how this proceeds as it is now my primary focus.

Great, everything should be fine with the EMR part, but I’ll be curious to know your findings.

Odoo “should” be configurable to delegate authentication to a OAuth2 provider, but there’s some research to be done.

But then you’ll most likely hit a wall with OpenELIS, but let’s see when you get there.


Is there anyone in the community currently using this module on any OpenMRS version 2.X and does it work?

Hi @hngondoki yes we do on a large-scale OpenMRS entreprise integration. Against Core 2.3.x.

Noted. Thanks

@hngondoki what’s your use case?

Also note that the README promises something that’s not yet implemented about the initial set of roles to give to users when they are being created (see here). Not a big deal to run the last mile though. However somehow we never had to prioritise it. I detailed it here already: GSoC 2020: Advancement of OAuth2 Module and Improvements in SMART OWA

Hello, everyone! Implemented this and it’s working great for the login/logout process. However, I’m having a problem using Rest APIs where the response containing the login page of the IDP is returned instead of the intended result. So is there a way to bypass SSO dynamically like a url parameter or something?

Hi @ssovichhay,

That’s intentionally not allowed. If you have configured for the authentication to be delegated elsewhere, then it has to always be, otherwise this introduces obvious security loopholes.

Looks like the HTTP headers that you are showing us are not enough (or are incorrect) to authenticate the user with the identity provider. And that’s why it always redirects you to its login page.

What about those two cookies, where did you get them from? How did you come up with the actual request to make?

I would suggest to look through the app (so through the browser), when authenticated with the identity provider, how a typical REST call looks like. By “look like” I mean looking at all the headers, all the cookies… etc.

Thanks, @mksd for your reply! Are there any documents/posts on how to authenticate the OpenMRS user with the identity provider I should look at? because I only followed the HTTP call from this ; and it worked perfectly before I implemented the OAUTH2 module.

Also, I was using Postman. So it generated a bunch of request headers which I assumed are not necessary to show. As for the 2 cookies, they are generated from the http response.

Your question is identity provider specific, which one do you use?

The first question is: do you get everything running normally (forget about direct API calls for a sec) with your identity provider in place? That means:

  • some distro of OpenMRS with Core 2.2.1+ ;
  • with the OAuth 2 Login module ;
  • with an appropriate oauth2.properties file setup for your identity provider in the OpenMRS app data directory.

If all this is done and working as expected, then you can go stalk on REST requests made by your browser to see what should be in there in terms of headers, cookies, token and so on.