2

How can I generate a token for azure fhir server using php. What I want is that the backend/php using guzzle will generate a token that will be use in the auth header to access the fhir server. I tried this guide https://kvaes.wordpress.com/2016/10/21/azure-using-php-to-go-all-oauth2-on-the-management-api/ , but it will open a Azure Portal login. I wanted it to be able to generate the token seamlessly just like other 3rd party api.

Chris
  • 6,105
  • 6
  • 38
  • 55
chkm8
  • 1,302
  • 1
  • 13
  • 34
  • 1
    The user will have to log in the first time but after that you can store the token and/or the refresh token in your db. – lufc Jun 30 '19 at 23:41
  • ah ok, so there is no other way to generate the token from back end? It should be done via the azure login portal? What if we have 100 users, it does mean that we need to add those into the azure active directory users? – chkm8 Jul 01 '19 at 06:17
  • @chkm8 - you might do it without pop-up login, if application uses the service principal account in AAD (Azure active directory) – Yusubov Jul 01 '19 at 11:51
  • Yes you have to store the tokens. Otherwise anyone could log in as any user. – lufc Jul 01 '19 at 13:46
  • @ELYusubov I followed the instruction https://learn.microsoft.com/en-us/azure/healthcare-apis/register-service-azure-ad-client-app , though I generated a token but I always get Authentication failed error. Any idea what I'm missing? – chkm8 Jul 02 '19 at 07:10
  • @chkm8 Unfortunately, this is a common issue. Just have a look at my comments below the answer. – Yusubov Jul 03 '19 at 12:52

1 Answers1

0

It is possible to permit access to back-end service without AAD login pop-up.

Just look into using service principal account in AAD (Azure Active Directory).

Here is the set of posts that describe it - How-to guides:

Once, you set all the steps and have client_id, cleint_secretet & resource, then by pointing to your azure AD tenant you can obtain a valid token, using postman or curl:

Here is the screen-shot from postman to make it helpful: enter image description here

Yusubov
  • 5,815
  • 9
  • 32
  • 69
  • I tried to create a service client application and add a permission but I couldn't select the Application Permission option, do you have idea why is it so? – chkm8 Jul 02 '19 at 05:37
  • I followed the instruction https://learn.microsoft.com/en-us/azure/healthcare-apis/register-service-azure-ad-client-app , though I generated a token but I always get Authentication failed error. – chkm8 Jul 02 '19 at 07:09
  • @chkm8 can you share your token? usually token get issues to a wrong `oid` or `aud`... Look at your token info in https://jwt.ms/ – Yusubov Jul 03 '19 at 12:42
  • @chkm8 if you are using the FHIR API - make sure to add your tokens `oid` to the Authentication tab of "Allowed object IDs" – Yusubov Jul 03 '19 at 12:49
  • 1
    yeah was able to fixed to it. I header response showed invalie_audience, I just update the audience and also added the oid in fhir server. Its working now. Thanks – chkm8 Jul 05 '19 at 18:23
  • @chkm8 Glad that it works! Could you update response, and make this an answer if instructions helped? – Yusubov Jul 08 '19 at 12:47