Issue configuring OAuth FHIR Client Quickstart with external OAuth server (issuer validation error) - IRIS for Health 2025.1
Hi everyone,
I am trying to configure a FHIR Server to authenticate against an external OAuth server using the OAuth FHIR Client Quickstart, which is available in the newer versions of InterSystems IRIS for Health.
During the configuration process I am encountering an issuer validation error.
I have already verified the issuer URL, and it exactly matches the value returned by the OAuth server’s OpenID configuration endpoint (.well-known/openid-configuration).
Example:
Issuer configured in IRIShttps://login.microsoftonline.com/{tenant-id}/v2.0
Issuer returned by the OpenID configurationhttps://login.microsoftonline.com/{tenant-id}/v2.0
Despite this, IRIS still reports an issuer mismatch during the OAuth configuration.
The OAuth provider in this case is Microsoft Entra ID.
While investigating the issue, I checked ^ISCLOG and found the following error, which did not appear in the UI message:
It appears that IRIS is rejecting the discovery response due to an unexpected issuer claim. One detail I noticed is that the issuer returned in the error message seems to contain a trailing period (.) after /v2.0.
I also found a similar issue described in the InterSystems Developer Community:
https://community.intersystems.com/post/discovery-response-not-valid-error
However, it seems that no resolution was provided in that discussion.
At this point, I am wondering if this could be a bug or limitation in IRIS for Health 2025.1, or if there is an additional configuration required when using an external OAuth provider with the OAuth FHIR Client Quickstart.
Has anyone successfully configured this scenario with:
-
IRIS for Health 2025.1
-
External OAuth server (e.g., Entra ID, Okta, etc.)
-
OAuth FHIR Client Quickstart
Any guidance or similar experiences would be greatly appreciated.
Thank you.