Configure Azure Health External Identity Providers

Lodewijk Sioen 20 Reputation points
2024-06-20T14:24:08.0066667+00:00

According to the documentation it should be possible to bring our own Identity Provider as long as we can build a correct JWT token.

This is how the provider is configured in the portal:

  • Authority Field: https://[redacted].azurewebsites.net
    • Client ID: sandbox-ls
    • Audience: api-m2m

This is how my (decoded) token looks like:

{
  "alg": "RS256",
  "kid": "717BA263BF10CE3AD327817F9E3C1E11",
  "typ": "at+jwt"
}.{
  "nbf": 1718878423,
  "exp": 1718882023,
  "iss": "https://[redacted].azurewebsites.net",
  "aud": "api-m2m",
  "client_id": "33c7aa88-e639-427a-86be-160f684aa8d7",
  "azp": "sandbox-ls",
  "roles": "smartUser",
  "tenant": "local",
  "scp": "system/*.read",
  "jti": "68B004F13DB528D57BAF1FA0ADB61B23",
  "iat": 1718878423
}.[Signature]

However, I keep getting the following response:

HTTP/1.1 403 Forbidden

{
  "resourceType": "OperationOutcome",
  "id": "edcd3518cdd00773b8d23ae8e0433ba6",
  "meta": {
    "lastUpdated": "2024-06-20T10:16:19.663928+00:00"
  },
  "issue": [
    {
      "severity": "error",
      "code": "forbidden",
      "diagnostics": "Authorization failed."
    }
  ]
}

What am I doing wrong in creating my token? Why is it not valid for the FHIR service? If run the open source version on my machine, the token is accepted and everything works.

Azure Health Data Services
Azure Health Data Services
An Azure offering that provides a suite of purpose-built technologies for protected health information in the cloud.
166 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.