1

I have deployed and configured Azure API for FHIR using this link - https://learn.microsoft.com/en-gb/azure/healthcare-apis/tutorial-web-app-fhir-server

Using postman i am able to successfully insert a patient information into fhir-server.

To automate it I am using python and client service flow. 

   def get_access_token(self):

        token_url = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(azure_app_tenant_id)

        token_data = {
        'grant_type': 'client_credentials',
        'client_id': azure_app_client_id,
        'client_secret': azure_app_client_secret,
        'scope': fhir_endpoint_url + "/.default",

        }

        token_r = requests.post(token_url, data=token_data)

        log.info("Retrieving Access Token")
        if token_r.status_code == 200:
            log.info("Access Token Retrieved Successfully")
        else:
            raise Exception("Error retrieving access token")

        print(token_r.json()["access_token"])
        return token_r.json()["access_token"]

i am able to get an access token using get_access_token. However, when i use the access_token and insert patient record, its throwing Authorization Failed - 403 error. 

    def insert_patient_record(self, payload):
        log.info("Inserting Patient Record")
        headers = {
            'Authorization': 'Bearer {}'.format(self.get_access_token()),
            'Content-Type': 'application/json'
        }

        response = requests.request("POST", fhir_endpoint_url, headers=headers, data=payload)
        print("Response Code: ", response.status_code)
        if response.status_code == 200:
            log.info("Patient Record inserted Successfully")
        else:
            print("Response Text: ", response.text)
            raise Exception("Error inserting patient record")


Response Text:  {"resourceType":"OperationOutcome","id":"24515888da8e954da1e763d96193155b","issue":[{"severity":"error","code":"forbidden","diagnostics":"Authorization failed."}]}

Note: In FHIR-Server Authentication section, i have added the Object ID of the Registered APP which i earlier created in ADD.

srinath
  • 2,748
  • 6
  • 35
  • 56

1 Answers1

1

It looks like you have not added the (correct) object id of the registered application. Importantly, the application registration has an object id, but so does the service principal. It is the application id for the service principal you are looking for.

Check instructions here:

https://learn.microsoft.com/en-us/azure/healthcare-apis/find-identity-object-ids

You can find it the service principal object id with PowerShell:

$(Get-AzureADServicePrincipal -Filter "AppId eq 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'").ObjectId

or the Azure CLI:

az ad sp show --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX | jq -r .objectId

I would also recommend pasting your token into something like https://jwt.ms and look at the oid claim. Is that the object id you added?

MichaelHansen
  • 656
  • 3
  • 7
  • i ran the above mentioned command .. And added the object id under Azure API For FHIR -> Authentication section. With jwt.ms i also confirmed that the id which added and the oid which is there in retireved token are same. However, i am still get authentication error. – srinath Apr 21 '20 at 09:37
  • i am not sure what fixed it .. i removed everything and created a new setup. Added Oid as u mentioned above and its working now. – srinath Apr 21 '20 at 15:12
  • i dont think its a good idea to request an acces token every time. Do you know if there is a way to check if the access_token is expired or now ? – srinath Apr 21 '20 at 15:12
  • The token response, i.e. the object that you pull the `access_token` field out of also has fields for expiration time. The usual pattern is to have some kind of cache, you go to the cache for the token and if it is expired you request a new token. You are right, you should not get a new one every time. – MichaelHansen Apr 21 '20 at 21:32