Search code examples
azurehl7-fhirfhir-server-for-azure

403 - Authorization Error - OAuth2.0 - Access Token - Azure Api For Fhir

I have deployed and configured Azure API for FHIR using this link - https://learn.microsoft.com/en-gb/azure/healthcare-apis/tutorial-web-app-fhir-server

Using postman i am able to successfully insert a patient information into fhir-server.

To automate it I am using python and client service flow. 

   def get_access_token(self):

        token_url = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(azure_app_tenant_id)

        token_data = {
        'grant_type': 'client_credentials',
        'client_id': azure_app_client_id,
        'client_secret': azure_app_client_secret,
        'scope': fhir_endpoint_url + "/.default",

        }

        token_r = requests.post(token_url, data=token_data)

        log.info("Retrieving Access Token")
        if token_r.status_code == 200:
            log.info("Access Token Retrieved Successfully")
        else:
            raise Exception("Error retrieving access token")

        print(token_r.json()["access_token"])
        return token_r.json()["access_token"]

i am able to get an access token using get_access_token. However, when i use the access_token and insert patient record, its throwing Authorization Failed - 403 error. 

    def insert_patient_record(self, payload):
        log.info("Inserting Patient Record")
        headers = {
            'Authorization': 'Bearer {}'.format(self.get_access_token()),
            'Content-Type': 'application/json'
        }

        response = requests.request("POST", fhir_endpoint_url, headers=headers, data=payload)
        print("Response Code: ", response.status_code)
        if response.status_code == 200:
            log.info("Patient Record inserted Successfully")
        else:
            print("Response Text: ", response.text)
            raise Exception("Error inserting patient record")


Response Text:  {"resourceType":"OperationOutcome","id":"24515888da8e954da1e763d96193155b","issue":[{"severity":"error","code":"forbidden","diagnostics":"Authorization failed."}]}

Note: In FHIR-Server Authentication section, i have added the Object ID of the Registered APP which i earlier created in ADD.

Solution

  • It looks like you have not added the (correct) object id of the registered application. Importantly, the application registration has an object id, but so does the service principal. It is the application id for the service principal you are looking for.

    Check instructions here:

    https://learn.microsoft.com/en-us/azure/healthcare-apis/find-identity-object-ids

    You can find it the service principal object id with PowerShell:

    $(Get-AzureADServicePrincipal -Filter "AppId eq 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'").ObjectId

    or the Azure CLI:

    az ad sp show --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX | jq -r .objectId

    I would also recommend pasting your token into something like https://jwt.ms and look at the oid claim. Is that the object id you added?