I’m currently working on integrating SMART-on-FHIR with Keycloak (v14.0) and OpenMRS Reference Application 3.x (Core 2.7.4).
Current Setup:
-
OpenMRS Version: Reference Application 3.x (Core 2.7.4)
-
SMART-on-FHIR Module:
smartonfhir-1.0.0-SNAPSHOT.omod(loaded and started successfully) -
Keycloak Version: 14.0
-
OAuth Client:
smartClientconfigured with:-
Valid Redirect URIs:
http://localhost:3000/* -
Web Origins:
http://localhost:3000 -
Scopes Requested:
openid profile patient/*.read launch openid email
-
-
Access Token: Successfully obtained using OAuth2 Authorization Code flow
When I use the access token to query FHIR endpoints like: curl -H “Authorization: Bearer <access_token>” “http://localhost:8080/openmrs/ws/fhir2/R4/Condition?patient=”
I get the following response: HTTP Status 401 – Unauthorized The request has not been applied to the target resource because it lacks valid authentication credentials for that resource. What I’ve Verified:
-
Access token contains:
-
Correct audience (
aud: smartClient) -
Scope:
patient/*.read -
Subject and username info (
preferred_username, etc.)
-
-
Token works in SMART App redirect flow logs in and returns a token to the frontend at
localhost:3000 -
The
smartonfhir.omodis loaded and started -
FHIR endpoint works fine with Basic Auth (
admin:Admin123) -
The
jwks_uriand realm configuration seem accessible and valid -
OpenMRS works fine with Basic Auth for the same FHIR endpoint