1

I have spinned of a azure service for fhir. I want to use it with a .NET core API and I want to control the authentication and authorization inside the API. I haven't found an example where I can authenticate the webapi in azure without prompting for username and password with clientid, client secret and tenantID. And also regarding authorization, is there a way to restrict a tenant to only access certain group of patients with FHIR ?

Ponnapally
  • 88
  • 1
  • 13
  • What do you mean `without prompting for username and password with clientid, client secret and tenantID`? You mean you don't want to use all of them to auth or just use `clientid, client secret and tenantID` to auth? – Joy Wang Jul 29 '20 at 07:18
  • @JoyWang I don't want to answer a prompt, I want to use anything that will get me a token through API. – Ponnapally Jul 29 '20 at 09:06
  • what client app do you want to use? confidential or public or service client application? – Joy Wang Jul 29 '20 at 09:18
  • @JoyWang For now, it is just the API that I am working on, API will have all the configurations in json for getting the token from azure AD and getting data from FHIR. I would expose the API for client applications to access. – Ponnapally Jul 29 '20 at 10:08
  • @Abhijithponnapally check the client credential flow within Oauth 2.0, here you have code samples from Microsoft: https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2 dec Read also about right Azure Ad model: simple Azure Ad, Azure Ad B2B or Azure Ad B2C. – Luke Duda Jul 29 '20 at 20:39

1 Answers1

1

You can use Azure Active Directory client credentials flow to obtain a token to access the Azure API for FHIR. In order to do this, you will need to register a service client in Azure AD. Once you have a service client application (and a secret), you can obtain a token from Azure AD with something like:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

with the following fields in the payload:

client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
&scope=https://<myfhirservice.azurehealthcareapis.com/.default
&client_secret=abcdef1234
&grant_type=client_credentials

You can then present that token to the FHIR API with the Authorization: Bearer xwy... header field.

The service principal associated with the service client application has to be granted access to the the FHIR API. It is recommended that you set that up using Azure RBAC configuration, but if you are using a different tenant from the the associated with your Azure Subscription, you will need to do local RBAC configuration.

At the moment there is no way to do "granular" access control (e.g. only certain patients). It is recommended that you implement such logic using an API management service such as Azure API Management or similar.

MichaelHansen
  • 656
  • 3
  • 7