OpenMRS+Keycloak+Fhir2

mrserwin · February 15, 2022, 6:29am

Hello I faced with few problems there. Env:

MacOS
OpenMRS 2.4
keycloak 14
Fhir2 (openmrs-module-fhir2) 1.3.0
msrtonfhir (openmrs-module-smartonfhir) latest from github
keycloak-auth(GitHub - openmrs/openmrs-contrib-keycloak-auth: A plugin for Keycloak to authenticate users against the OpenMRS data store)
keycloak-smart-auth (GitHub - openmrs/openmrs-contrib-keycloak-smart-auth)

SMART app configuration:

{
  "id": "patient.monitor",  
  "description": "patient.monitor",
  "order": 1,
  "config" : {
    "launchUrl" : "https://localhost/patient-monitor/launch.html",
    "launchType" : "EHR",                                     
    "launchContext" : "patient", 
    "fhirVersion" : "R4"                                        
  },
  "extensions": [
    {
      "id": "smartapps.patientMonitorHomepageLink",
      "extensionPointId": "smartAppManagement.apps",
      "type": "link",
      "label": "patient.monitor",
      "url": "smartonfhir/smartAppsRedirect.page?app=patient.monitor", 
      "icon": "icon-hdd",
      "requiredPrivilege": "App: smartonfhir.patientMonitorHomepageLink"
    }
  ]
}

the main problem which I have at the moment is NullPointerException on each request eg. GET http://localhost:8080/openmrs/ws/fhir2/R4/Patient/3ca34181-1834-4ddb-aee8-88e1525e0870 response:

<body>
    <h1>HTTP Status 500 – Internal Server Error</h1>
    <hr class="line" />
    <p><b>Type</b> Exception Report</p>
    <p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.
    </p>
    <p><b>Exception</b>
        <pre>java.lang.NullPointerException
</pre>
    </p>
    <p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p>
    <hr class="line" />
    <h3>Apache Tomcat/7.0.94</h3>
</body>

theanandankit · February 15, 2022, 9:12am

okay, let’s connect on zoom. sending you the zoom link.

theanandankit · February 15, 2022, 11:20am

@ibacher I think the docker-compose.yml file is not working properly in Mac OS but it is working fine in Linux. we are not able to access http://localhost:8080/openmrs when running the docker-compose file in mac.

mrserwin · February 15, 2022, 1:27pm

unfortunately, there is problem not only in openmrs access. there is my docker-compose.yml (3.3 KB) file. I can access http://localhost:8080/openmrs but when I try make request http://localhost:8080/openmrs/ws/fhir2/R4/Encounter/a7b97a9f-b505-46ef-8162-3ed49db35c04

HttpError: 500 Internal Server Error
URL: http://localhost:8080/openmrs/ws/fhir2/R4/Encounter/a7b97a9f-b505-46ef-8162-3ed49db35c04

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b> <pre>java.lang.NullPointerException
	java.net.URI$Parser.parse(URI.java:3041)
	java.net.URI.&lt;init&gt;(URI.java:588)
	java.net.URI.create(URI.java:850)
	org.apache.http.client.methods.HttpGet.&lt;init&gt;(HttpGet.java:66)
	org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(JWKPublicKeyLocator.java:97)
	org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(JWKPublicKeyLocator.java:63)
	org.keycloak.adapters.rotation.AdapterTokenVerifier.getPublicKey(AdapterTokenVerifier.java:121)
	org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:111)
	org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47)
	org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103)
	org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88)
	org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67)
	org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:195)
	org.openmrs.module.smartonfhir.web.filter.SmartAuthenticationFilter.doFilter(SmartAuthenticationFilter.java:78)
	org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:71)
	org.openmrs.module.smartonfhir.web.filter.CORSFilter.doFilterInternal(CORSFilter.java:49)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:71)
	org.openmrs.module.spa.filter.SpaFilter.doFilter(SpaFilter.java:53)
	org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:71)
	org.openmrs.module.web.filter.ModuleFilter.doFilter(ModuleFilter.java:57)
	org.openmrs.web.filter.OpenmrsFilter.doFilterInternal(OpenmrsFilter.java:105)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	org.springframework.orm.hibernate5.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:156)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:108)
	org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:108)
	org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:108)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
</pre></p><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/7.0.94</h3></body></html>
    at _callee$ (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:12695:21)
    at tryCatch (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:455:40)
    at Generator.invoke [as _invoke] (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:685:22)
    at Generator.next (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:510:21)
    at asyncGeneratorStep (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:99:24)
    at _next (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:121:9)
    at https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:128:7
    at new Promise (<anonymous>)
    at https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:117:12
    at _checkResponse (https://cdn.jsdelivr.net/npm/fhirclient/build/fhir-client.js:12712:25)

mrserwin · February 15, 2022, 2:06pm

the same for Patient request. I prepared all details for you: GET http://localhost:8080/openmrs/ws/fhir2/R4/Patient/455564f4-242e-432a-9d3c-0447c08662a3 500 Internal Server Error

Response Headers:

HTTP/1.1 500 Internal Server Error

Server: Apache-Coyote/1.1

Set-Cookie: JSESSIONID=0DCA2FADB424992F4A5A5B2744FD1A7A; Path=/openmrs; HttpOnly

Access-Control-Allow-Origin: *

Content-Type: text/html;charset=utf-8

Content-Language: en

Content-Length: 3721

Date: Tue, 15 Feb 2022 14:01:09 GMT

Connection: close

Request Headers:

GET /openmrs/ws/fhir2/R4/Patient/455564f4-242e-432a-9d3c-0447c08662a3 HTTP/1.1

Host: localhost:8080

Connection: keep-alive

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"

accept: application/json

DNT: 1

authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLZ0Fpd2ZBMG1ZdWN0Y3JYS3M2M0ZUdVQyX3g0Z1JTbVdPYzdIWmxDNTd3In0.eyJleHAiOjE2NDQ5MzM5NjksImlhdCI6MTY0NDkzMzY2OSwiYXV0aF90aW1lIjoxNjQ0OTMzNjY4LCJqdGkiOiJkZDU0NzBhMS01NGMxLTQ5YjQtYWY3ZS0zN2FkNmE4ZGY3NzgiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvb3Blbm1ycyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJmOmQ5ZTU5NGQyLTFhOTQtNGIzYy05MGU0LTgwYWJiOTgwMzk2ODoxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic21hcnRDbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiY2VhZGRlMmQtYThhNi00ZWYyLTllOTQtYjM5NDk5ODg2ZWY0IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwYXRpZW50L1BhdGllbnQucmVhZCBsYXVuY2gvZW5jb3VudGVyIHByb2ZpbGUgZW5jb3VudGVyLyoucmVhZCBsYXVuY2gvcGF0aWVudCBwYXRpZW50LyoucmVhZCBsYXVuY2ggZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.hFT2tTZg50pMvJkZDYcB_5Xa9JQoWDZwpBC6mO2gCoYY6_9L16cHpzE3rBLJQtBw7xtqhpRqEhuK8Ydy2pImzlASRE6kLxdg6bGh1X7ailxllak-d4Q7xHEkmQKJ6H0XIFNPyqk5F1YfNkjMvpYls6X3riMjlB3d3dujj1fkeo8ias5Yy6NAZf_0V8jActs1RTVyps2KAmBtMhaP3iibRil3U73kDopafsf44eqH_TPlPHMdRoEq_hodJsPPY1pM1Glg9IiZiQZj_7CBu1PWkuUluMeufRIY2r2ANKYR1d50-rMvFxr7KUcl1oo7Pz-xbJgkjW5GGSgU5phm99k39A

sec-ch-ua-mobile: ?0

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36

sec-ch-ua-platform: "macOS"

Origin: http://localhost:9090

Sec-Fetch-Site: same-site

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: http://localhost:9090/

Accept-Encoding: gzip, deflate, br

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7

Respomse:

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b> <pre>java.lang.NullPointerException

java.net.URI$Parser.parse(URI.java:3041)

java.net.URI.&lt;init&gt;(URI.java:588)

java.net.URI.create(URI.java:850)

org.apache.http.client.methods.HttpGet.&lt;init&gt;(HttpGet.java:66)

org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(JWKPublicKeyLocator.java:97)

org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(JWKPublicKeyLocator.java:63)

org.keycloak.adapters.rotation.AdapterTokenVerifier.getPublicKey(AdapterTokenVerifier.java:121)

org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:111)

org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47)

org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103)

org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88)

org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67)

org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:195)

org.openmrs.module.smartonfhir.web.filter.SmartAuthenticationFilter.doFilter(SmartAuthenticationFilter.java:78)

org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:71)

org.openmrs.module.smartonfhir.web.filter.CORSFilter.doFilterInternal(CORSFilter.java:49)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:71)

org.openmrs.module.spa.filter.SpaFilter.doFilter(SpaFilter.java:53)

org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:71)

org.openmrs.module.web.filter.ModuleFilter.doFilter(ModuleFilter.java:57)

org.openmrs.web.filter.OpenmrsFilter.doFilterInternal(OpenmrsFilter.java:105)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.springframework.orm.hibernate5.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:156)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:108)

org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:108)

org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:108)

org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

</pre></p><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/7.0.94</h3></body></html>

grace · February 15, 2022, 3:47pm

Thanks for this very interesting post @mrserwin & @theanandankit! Ian is sick today but I’m sure he’ll review this when he’s back. Thanks in advance for your patience

ibacher · February 16, 2022, 6:01pm

@mrserwin What’s the contents of your smart-keycloak.json file?

mrserwin · February 17, 2022, 4:20am

@ibacher this is standart file

  {
    "realm": "openmrs",
    "auth-server-url": "http://localhost:8180/auth/",
    "ssl-required": "external",
    "resource": "smartClient",
    "public-client": true,
    "confidential-port": 0
  }

and this is file which I used for my application

  {
    "realm": "openmrs",
    "auth-server-url": "http://localhost:8180/auth/",
    "ssl-required": "external",
    "resource": "384a2222-b298-4a39-a4f8-369926488961",
    "public-client": true,
    "confidential-port": 0
  }

changed only application ID

BTW. I’m not sure is that correct place /usr/local/tomcat/.OpenMRS/config/ why no /usr/local/tomcat/.OpenMRS/configuration/ folder which OpenMRS has from box

also, should it be different config files for each SMART app or we can store all configs in one file like an array of smart app configs?

ibacher · February 17, 2022, 1:15pm

It wasn’t out of the box when this was written, but yes, this needs to be fixed.

What do you get when you go to the URL: http://localhost:8180/auth/realms/openmrs/.well-know/openid-configuration?

mrserwin · February 17, 2022, 1:39pm

openid-configuration.json (3.8 KB)

ibacher · February 17, 2022, 1:59pm

That looks to be in order, which suggests that the problem is that OpenMRS can’t load the file for some reason, most likely because it can’t reach the Keycloak server.

To test this, you could try to connect to the same URL using curl from the OpenMRS container, i.e.,:

docker-compose exec openmrs-referenceapplication curl -vL http://localhost:8180/auth/realms/openmrs/.well-known/openid-configuration

And see if that returns an error (it expects a response with an HTTP status code of 200 and the contents of the file you posted).

mrserwin · February 17, 2022, 2:14pm

this returns nothing

docker-compose exec openmrs-referenceapplication curl -vL http://localhost:8180/auth/realms/openmrs/.well-known/openid-configuration

but :

curl -vL http://localhost:8180/auth/realms/openmrs/.well-known/openid-configuration

*   Trying ::1:8180...
* Connected to localhost (::1) port 8180 (#0)
> GET /auth/realms/openmrs/.well-known/openid-configuration HTTP/1.1
> Host: localhost:8180
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: no-cache, must-revalidate, no-transform, no-store
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Thu, 17 Feb 2022 14:13:18 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 3910
<
* Connection #0 to host localhost left intact
{"issuer":"http://localhost:8180/auth/realms/openmrs","authorization_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/auth","token_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/token","introspection_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/logout","jwks_uri":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/certs","check_session_iframe":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://localhost:8180/auth/realms/openmrs/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","profile","encounter/*.read","patient/*.read","phone","web-origins","roles","address","patient/Patient.read","launch/encounter","launch","email","launch/patient","microprofile-jwt","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll"],"backchannel_authentication_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/ext/ciba/auth"}%

ibacher · February 17, 2022, 3:32pm

The main reason for suggesting that is to suss-out if it’s some kind of Docker networking configuration issue which it might be if there’s no output. You could also try running docker-compose exec openmrs-referenceapplication sh and then in the new shell running the curl command.

Obviously from your computer you are able to reach the correct file on the Keycloak server… the question is whether the openmrs-referenceapplication container can reach the Keycloak server.

mrserwin · February 18, 2022, 4:23am

it does not work for me.

I connected to my openmrs-referenceapplication terminal and called this commant and you are right - this image does not have access

# curl -vL http://localhost:8180/auth/realms/openmrs/.well-known/openid-configuration
*   Trying 127.0.0.1...
* TCP_NODELAY set
* connect to 127.0.0.1 port 8180 failed: Connection refused
*   Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: Cannot assign requested address
*   Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: Cannot assign requested address
* Failed to connect to localhost port 8180: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 8180: Connection refused
#

mrserwin · February 18, 2022, 7:56am

@theanandankit @ibacher if I use your docker-compose.yml file without changes where network mode is host. I can access this link

network_mode: “host”

# curl -vL http://localhost:8180/auth/realms/openmrs/.well-known/openid-configuration
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 8180 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8180 (#0)
> GET /auth/realms/openmrs/.well-known/openid-configuration HTTP/1.1
> Host: localhost:8180
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, must-revalidate, no-transform, no-store
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Fri, 18 Feb 2022 07:53:19 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 3910
<
{"issuer":"http://localhost:8180/auth/realms/openmrs","authorization_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/auth","token_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/token","introspection_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/logout","jwks_uri":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/certs","check_session_iframe":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://localhost:8180/auth/realms/openmrs/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","profile","encounter/*.read","patient/*.read","phone","web-origins","roles","address","patient/Patient.read","launch/encounter","launch","email","launch/patient","microprofile-jwt","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
ported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll"],"backchannel_authentication_endpoint":"http://localhost:8180/auth/realms/openmrs/protocol/openid-connect/ext/ciba/auth"}#

but I cant access

http://localhost:8080/openmrs

from my browser

mrserwin · February 18, 2022, 11:18am

I think we should configure our docker-compose file without using host mode

github.com/docker/compose

"network_mode: host" does not use the network of host machine

opened 01:44PM - 02 Aug 16 UTC

closed 11:57PM - 03 Aug 17 UTC

leialexisjiang

Hi, actually I want to deploy all my applications in one machine and I use "netw…ork_mode: host" for sharing the same network of host machine inside docker container. But I find that I can't access my application with "localhost" in the host machine. example : Inside docker container, this command works well, but not work in the host machine `curl -H "Content-Type: application/json" http://localhost:8761/eureka/apps` `ifconfig` in the container (IP is 192.168.65.2) : ``` root@moby:/edge-service# ifconfig br-11d1260a7759 Link encap:Ethernet HWaddr 02:42:8c:42:40:f1 inet addr:172.20.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) br-812e2bf1341c Link encap:Ethernet HWaddr 02:42:5e:fc:f0:00 inet addr:172.19.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) br-8ddc0704ebaa Link encap:Ethernet HWaddr 02:42:d0:5a:52:52 inet addr:172.18.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) docker0 Link encap:Ethernet HWaddr 02:42:01:ce:32:86 inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) eth0 Link encap:Ethernet HWaddr c0:ff:ee:c0:ff:ee inet addr:192.168.65.2 Bcast:192.168.65.7 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7431 errors:0 dropped:0 overruns:0 frame:0 TX packets:4343 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10443531 (9.9 MiB) TX bytes:245727 (239.9 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:3199 errors:0 dropped:0 overruns:0 frame:0 TX packets:3199 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:363061 (354.5 KiB) TX bytes:363061 (354.5 KiB) ``` `ifconfig` in the host machine (IP is 192.168.1.99) : ``` mobilecenter:~ $ ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 options=3<RXCSUM,TXCSUM> inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=1<PERFORMNUD> gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 60:f8:1d:bb:54:66 inet6 fe80::62f8:1dff:febb:5466%en0 prefixlen 64 scopeid 0x4 inet 192.168.1.99 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=1<PERFORMNUD> media: autoselect status: active en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500 options=60<TSO4,TSO6> ether 72:00:07:fe:3f:a0 media: autoselect <full-duplex> status: inactive en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500 options=60<TSO4,TSO6> ether 72:00:07:fe:3f:a1 media: autoselect <full-duplex> status: inactive p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304 ether 02:f8:1d:bb:54:66 media: autoselect status: inactive awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484 ether 5a:15:f9:99:be:bf inet6 fe80::5815:f9ff:fe99:bebf%awdl0 prefixlen 64 scopeid 0x8 nd6 options=1<PERFORMNUD> media: autoselect status: active bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=63<RXCSUM,TXCSUM,TSO4,TSO6> ether 62:f8:1d:bb:23:00 Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x2 member: en1 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 5 priority 0 path cost 0 member: en2 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 6 priority 0 path cost 0 nd6 options=1<PERFORMNUD> media: <unknown type> status: inactive ``` I'm a little confused, IP inside container and host machine should not be the same in network_mode: host ? Between the docker containers, they can share network (the two containers of my docker-compose.yml can communicate well between them with localhost) , but not with the host machine. I think maybe I misunderstand the network_mode host. The docker-compose.yml looks like : ``` version:` '2' services: edge-service: restart: restart image: registry.raimtec.com/edge-service volumes: - edge_service_log:/edge-service/logs ports: - 9080:9080 container_name: edge-service depends_on: - discovery-service network_mode: host environment: - HOST_NAME=localhost - SERVER_PORT=9080 - LEASE_RENEWAL_INTERVAL_SECS=30 - DISCOVERY_HOST=http://localhost:8761 - HYSTRIX_ISOL_TIMEOUT=60000 - RIBBON_CONNECT_TIMEOUT=3000 - RIBBON_READ_TIMOUT=60000 - RESTART_ENABLED=true - SHUTDOWN_ENABLED=true - HEALTH_ENABLED=false - NEBULA_REF_SERVICE_ROUTE=/nebula/v1/** discovery-service: restart: restart image: registry.raimtec.com/discovery-service volumes: - discovery_service_log:/discovery-service/logs ports: - 8761:8761 container_name: discovery-service network_mode: host environment: - HOST_NAME=localhost - SERVER_PORT=8761 - LEASE_RENEWAL_INTERVAL_SECS=30 - REGISTER_WITH_EUREKA=true - FETCH_REGISTRY=false - WAIT_TIME_MS_WHEN_SYNC_EMPTY=0 - ENABLE_SELF_PRESERVATION=true - RESTART_ENABLED=true - SHUTDOWN_ENABLED=true - HEALTH_ENABLED=true volumes: edge_service_log: {} discovery_service_log: {} ``` Docker inspect (network part) : ``` "NetworkSettings": { "Bridge": "", "SandboxID": "9a7eb00e08cbf5f1dbd3fe87d1643f8a5fa31414a6bd7fa7e04081949284d363", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/var/run/docker/netns/default", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "host": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "d3a065edac656a838506f1975c755a9732cc5d458de7ef30c2a8c128ce1249da", "EndpointID": "a8b37dac419e8fdd1cbfc5f80bfd7e117359274f56c1fe0ea752d739f713f936", "Gateway": "", "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "" } } } ``` Docker/Docker compose version: ``` mobilecenter:~ $ docker version Client: Version: 1.12.0 API version: 1.24 Go version: go1.6.3 Git commit: 8eab29e Built: Thu Jul 28 21:15:28 2016 OS/Arch: darwin/amd64 Server: Version: 1.12.0 API version: 1.24 Go version: go1.6.3 Git commit: 8eab29e Built: Thu Jul 28 21:15:28 2016 OS/Arch: linux/amd64 mobilecenter:~ $ docker-compose version docker-compose version 1.8.0, build f3628c7 docker-py version: 1.9.0 CPython version: 2.7.9 OpenSSL version: OpenSSL 1.0.2h 3 May 2016 ``` Thanks in advance

the same problem here https://groups.google.com/g/dcm4che/c/lEF4QQ7UOnY/m/hfJren18CQAJ

ibacher · February 18, 2022, 1:09pm

The alternative way of setting this up would be to change the references inside the configuration files to point to http://keycloak:8180/, but then you’ll need to modify the hosts file for your computer so that keycloak resolves to 127.0.0.1 because, IIRC, there’s an unfortunate requirement that Keycloak be addressable on the same address from both the backend container (openmrs) and your browser (on your local computer).

That’s why we set things up using network_mode: host in the first place… it’s was to get http://localhost:8180 to resolve to the Keycloak server both from the perspective of your browser and the perspective of the openmrs container.

It’s probably much simpler to just skip the Docker setup altogether and run Keycloak locally on your machine.

mrserwin · February 18, 2022, 1:41pm

but it does not work on MacOS 100% and it did not work on Windows too. So may be this is not the best solution

I tried this case too, BTW I showd it to @theanandankit on our call. There was the same problem (maybe not same but similar) .

<body>
	<h1>HTTP Status 500 – Internal Server Error</h1>
	<hr class="line" />
	<p><b>Type</b> Exception Report</p>
	<p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.
	</p>
	<p><b>Exception</b>
		<pre>java.lang.NullPointerException
</pre>
	</p>
	<p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p>
	<hr class="line" />
	<h3>Apache Tomcat/7.0.94</h3>
</body>

I described this problem here Few errors on getting data from fhir server · Issue #552 · openmrs/openmrs-esm-patient-chart · GitHub

ibacher · February 18, 2022, 1:55pm

Docker Desktop is, unfortunately, a bit of a moving target. This setup did work for me 100% on a Mac when it was originally setup, but it is entirely possible that something has changed in the interim.

You’re right that it’s likely a similar problem, i.e., the NPE seems to be the result of the OpenMRS container being unable to connect to the /.well-known/openid-configuration endpoint for the Keycloak server so that it doesn’t have the appropriate configuration setup. It’s important that the:

"auth-server-url": "http://localhost:8180/auth/",

Point to the Keycloak server. IIRC, Keycloak defaults to using port 8080, but you can shift the ports it uses using the -Djboss.socket.binding.port-offset=100 when running Keycloak to make it accessible on 8180 instead.

mrserwin · February 18, 2022, 2:03pm

I run it as described in your WIKI

sudo ./bin/standalone.sh -Djboss.socket.binding.port-offset=100