Azure FHIR Proxy using Postman - 401 You do not have permission to view this directory or page

Question

I have set up an instance of Azure FHIR with an Azure FHIR proxy using this tutorial:

https://github.com/microsoft/health-architectures/tree/master/FHIR/FHIRProxy##configuration

I am unable to call the proxy without getting the following error message:

You do not have permission to view this directory or page.

I have created a token successfully using the following tutorial:

https://docs.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial

I have created an app service principal in Azure with the permissions to access the FHIR proxy:

https://func-fhir-proxy-2.azurewebsites.net

I am generating the token using the following in postman:

Auth URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/authorize/?resource=https://func-fhir-proxy-2.azurewebsites.net

Access Token URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/token

Client ID: 4d138742-44c0-42cb-9878-8647a1d2ef17

Client Secret: Well..that's a secret!

Scope: openid profile

State: 12345

Postman returns 3 tokens: Access_token, Refresh_token, Id_token.

I have tried each token and all return the same 401 error.

ID token JWT looks like this:

I have tried calling the FHIR proxy API's, due to the tutorial I am not 100% which are the correct URLs:

https://func-fhir-proxy-2.azurewebsites.net/api/fhirproxy/Patient

https://fhir-test-apis.azurehealthcareapis.com/Patient/

None of this works, I just keep getting the same error. Does anyone know what I am doing wrong? Should I be calling the FHIR proxy API using the token? If so, why is the API not letting me in?

Answer 1

The link ending with ".../api/fhirproxy/Patient" is correct for the proxy deployment.

I'd suggest that you do a quick test that you can access the FHIR API without the proxy. You can use the existing deployment and follow instructions at https://docs.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial .

Once you get that working, test the FHIR API with the proxy. You can start with the proxy that has the its security disabled (The FHIR api still requires security and you cannot disable it). Once you get that working, you can enable the proxy's security.

Since the proxy is a web app acting as a proxy, you will need two sets of credentials, one set for the FHIR api itself, which you specify in the proxy app, and one set for the proxy web app, which you specify in your client app, eg Postman or curl.

Answer 2

The reason for the error is actually very simple, you are using the wrong scope .

Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.

Therefore, according to your requirements, try to change the scope to: https://func-fhir-proxy-2.azurewebsites.net/.default

By the way, if you want to call api, you should use access token instead of refresh token and id token.

Answer 3

I managed to fix the issue. I found that the resource ID was needed in the auth URL:

This can be obtained from Enterprise Applications:

Also, creating two separate app registrations: