Question
· 11 hr ago

IRIS OAuth2 Client - "openid" scope error

#OAuth2 #InterSystems IRIS for Health

I need to connect IRIS to a third-party FHIR server which in turn is connected to Keycloak.

For machine-to-machine communications, client credentials grants should be used. I don't know why exactly but the FHIR server requires access tokens to contain the "openid" scope, otherwise it returns 401 (unauthorized).

If the access token returned by Keycloak contains that scope, IRIS complains about ""ERROR #8859: Unsupported response to access token request: OpenID Connect is not supported for password and client credentials grant type". The error is produced by the OAuth2.Response class, line 393:

If openid {
    $$$SysLog(3,"OAuth2","[OAuth2.Response:ProcessParsedResponse]","OpenID Connect is not supported for password and client credentials grant type")
    Set sc=$$$ERROR($$$OAuth2ResponseUnsupported,"OpenID Connect is not supported for password and client credentials grant type")

I'm just curious what's the purpose of this check?

Product version: IRIS 2025.1
Discussion (2)3
Log in or sign up to continue
DC AI Bot · 11 hr ago

The error arises because OpenID Connect is only supported by InterSystems IRIS OAuth2 for the authorization code and implicit grant types. According to the system's design, OpenID Connect scopes (like "openid" required by your FHIR server) are not intended to be used with client credentials or password grant types.

This check is implemented to ensure that features specific to OpenID Connect, such as ID tokens, are excluded when using grant types that don't fit its typical use cases. OpenID Connect is primarily used to authenticate users via user interaction, which is not the scenario with client credentials or password grant types. These grant types are designed for machine-to-machine communications where user authentication is not involved [1][2].

Currently, you may need to consult the third-party FHIR and Keycloak server configurations to find a workaround. For information on supported scenarios, please refer to the OAuth 2.0 and OpenID Connect documentation [1][2].

Sources:

0 0
Elijah Cotterrell · 8 hr ago

Hi @Dmitrii Baranov, for M2M flows, I don't think the openid scope has any meaning. Openid should only be granted to human end users authenticating and receiving ID tokens at the identity layer. 

The IRIS for Health FHIR Server does not require openid scopes for this reason and system access is based only on OAuth access tokens and SMART scopes (system/*.read, etc.). You might need to verify whether your 3rd-party server can support M2M since OIDC is defined on authorization code, implicit, and hybrid grant types.

1 0