401 when using client_credentials auth flow

Question

Everything works great with Postman and authorization_code grant. But I am trying to connect to FHIR with client_credentials flow, meaning no UI.

I am calling the url https://login.microsoftonline.com/xxxxxxxx-c9a9-4be5-a9f7-xxxxxxxxxxxx/oauth2/v2.0/token with the parameters:

grant_type: client_credentials
client_id: [my fhir application ID]
scope: https://[myCompany].azurehealthcareapis.com/.default
client_secret: [mySecret]

With that, I get back a token

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiJodHRwczovL2JvbmZoaXIuYXp1cmVoZWFsdGhjYXJlYXBpcy5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wZjIzNjI5Yy1jOWE5LTRiZTUtYTlmNy1iZGI1ODU1M2Q3YjUvIiwiaWF0IjoxNjIyMjMwNjExLCJuYmYiOjE2MjIyMzA2MTEsImV4cCI6MTYyMjIzNDUxMSwiYWlvIjoiRTJaZ1lERGJ3WFZqendaRGt4M25ZcmhXcnNoMEJBQT0iLCJhcHBpZCI6ImY3YTA0ZWZjLTE1YjItNDVlMi05NzU5LWI0ZGQ0ZTdjN2Q5ZiIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzBmMjM2MjljLWM5YTktNGJlNS1hOWY3LWJkYjU4NTUzZDdiNS8iLCJvaWQiOiJlYTFiMmI4MC1kYTdiLTQ2YmEtYjgyOS01YzdlNTllZmVmYzciLCJyaCI6IjAuQVhjQW5HSWpENm5KNVV1cDk3MjFoVlBYdGZ4T29QZXlGZUpGbDFtMDNVNThmWjkzQUFBLiIsInN1YiI6ImVhMWIyYjgwLWRhN2ItNDZiYS1iODI5LTVjN2U1OWVmZWZjNyIsInRpZCI6IjBmMjM2MjljLWM5YTktNGJlNS1hOWY3LWJkYjU4NTUzZDdiNSIsInV0aSI6InYwSnhfOEM0c1VtQ1ZGQUZoY3AtQWciLCJ2ZXIiOiIxLjAifQ.QMHS5OoWYflq30owYolvwzDkRJm4sG29G11Z_Qct_pPuj_ULm6hR4vC_jydqsq7eDFGxA1wb_Y8hJXVKTHBu1ij9_SKSlKhNZ6KmkqrvOhTaADFGw36albKNgII_xzA-gmeAOKQuKX9Q9wZmPfJETx5NJuJnG1qAnexvhQkhMv8AgiznnU9VbaIoAAvObHx9E5Pb5nesSmOhVwMxZRjBrTHqz9ryFUDYq3Pciuz6HvVF7ro9IijUg9d8r2da8HuXGXvZiJXkfiEW6OuR1RLv9QDol6WjAOKTB12q07iFFgDL0UTinWLY--3dn0raVyd7ZtT_yzLNRZ9iqX_XXXXX"
}

Now when I call the url https://[myCompany].azurehealthcareapis.com/Patient I get 401 response.

{
    "resourceType": "OperationOutcome",
    "id": "114e91311cbd11458e3d3284db6c9826",
    "issue": [
        {
            "severity": "error",
            "code": "login",
            "diagnostics": "Authentication failed."
        }
    ]
}

This is what I have for Api Permissions

Can you update your post with the full request to https://[myCompany].azurehealthcareapis.com/Patient ? If you were getting "code: forbidden", I'd say look at the FHIR RBAC configuration (https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/configure-azure-rbac), but the "code: login" suggests the access_token isn't being accepted (even though the claims look fine in token.payload). — rmharrison, May 28 '21 at 22:45
@rmharrison For the /Patient, there is no configuration other than the Authorization header and the Bearer token. I am using Azure RBAC and I feel like I am missing something between App Registration and my Fhir service. Something like I need to give access rights to the Api Services I have configured. Using RBAC I try and search for Fhir-Service-Client, but its not in the directory. https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/register-service-azure-ad-client-app. — Chris Auer, May 28 '21 at 23:10
I updated my Api Server so the API url matches the Fhir url https://[myCompany].azurehealthcareapis.com, and now I get a 403 - forbidden. Its differentm i guess. — Chris Auer, May 28 '21 at 23:25

score 0 · Answer 1 · answered May 29 '21 at 00:01

On the Fhir service, select Access control (IAM) from the left menu (if you are using Azure RBAC).

From there, click on Role Assignments

Then search for your your App Registration

This allows your app to have permissions to the Fhir service outside of that of the logged in users.

401 when using client_credentials auth flow

1 Answers1