Invalid Client - User Name or Password is Invalid

[mikeseale]

I'm working with a vendor using the following auth example to connect to my health group's athenaPractice v22 FHIR API: https://apsandbox.fhirapi.athenahealth.com/demoAPIServer/oauth2/token?grant_type=client_credentials&scope=user%2F.

They have replaced apsandbox.fhirapi.athenahealth.com/demoAPIServer with our external facing FHIR API server and database name; however, the user I created for them doesn't authenticate like the example user in the sandbox server. They are getting:

{
    "error": "invalid_client",
    "error_description": "User name or password is invalid"
}

The JBOSS FHIR log shows: ERROR (default task-427 ) [NativeUserAuthorizationService] NUA989W06: Invalid Credentials: Msal Exception

What security permissions need to be setup on this account in my environment for this particular authentication to work? Here is what I have on the account so far:

• It's an AD account
• Added as a user in athenaPractice
• Added to the security group "API Server User"

[Torin-Shepard-athena]

@mikeseale FHIR API calls require a user authenticated by AAD with a corresponding user configured in the local AD used for direct login to athenaPractice/athenaFlow.

AAD is used for authentication. athenaPractice/athenaFlow security permissions are used for authorization and role based access control (RBAC).

Please make sure you create a user account in both AAD and the local system.

ap22sandbox, apsanddbox, and other API sandbox machines are configured to use B2B AAD sboxprovetnant.com. hwinston@sboxprovtenant.com and password published at API Access is authenticated by this AAD. hwinston is configured as a user in athenaPractice and granted permissions required to access all supported FHIR resources.

[mikeseale]

@Torin-Shepard-athena I double checked, and we do have this user in AAD and our local AD. I'm confused about B2B AAD for the JBOSS interop (API machine). Is this what the API registration tool does? Or are there additional steps here?

[Torin-Shepard-athena]

@mikeseale API registration tool prompts for global admin user of the desired B2B AAD and configures the AAD to be used by athenaPractice. There should be no additional steps required. Log into portal.azure.com with youruser@yourtenant.com to confirm youruser and its AAD password. It should be possible to use the same credentials to log into Azure portal and authenticate for access through FHIR.

If you're confident in the user credentials, please check app authorization (new starting in V22). Use Dev Portal Dev Center page to mark your app with production status so it can be authorized in athenaPractice/athenaFlow using API App Authorization window (aP Adminitration / aF Setup) to authorize your application.

[mikeseale]

@Torin-Shepard-athena I double checked credentials and feel confident they are correct after logging in with them on AAD and athenaPractice.

I think I may have found the issue. This KA looks to be the issue I'm running into: https://athenaflex.athenahealth.com/s/article/000110255

The vendor we are working with is bypassing the Dev Portal process and using "Native User" to access the FHIR.

[Torin-Shepard-athena]

@mikeseale I'm thankful you found that KA. Please also review the comments in issue #177. https://github.com/athenahealth/apiserver-athenaFlex/issues/177#issuecomment-889323368 Native user auth workflow using GET and POST both are supported in V22 but token GET capability will be removed in a future release.

[mikeseale]

@Torin-Shepard-athena Okay, that makes sense. If we want to get them up and running on v22, they need us to install the v22 Service Layer v3 hotfix. However, in the next version of athenaPractice GET will be gone completely and POST will be the only path to getting an access token.

Would you say that is a correct summary of this?

[Torin-Shepard-athena]

@mikeseale Yes that is a correct summary.