Authenticate to FHIR API without manually requesting an access token

Domien Van Steendam 45

My app is hosted on Azure and has a corresponding service principal enabled. Currently my app gets 401 whenever it sends requests to FHIR API, simply because I didn't add any authentication in my app.

How can I easily integrate Azure AD with my app so that it can make succesfull requests to FHIR API?

I do not want to deal with client secret properties in my app. I simply want to identify my app with new DefaultAzureCredential() and request tokens from there.

For example, I wish to simply use DefaultAzureCredential.GetToken(), this would not require any code changes despite the app running locally or in production environment.

Another example which would be ideal (for storage instead of FHIR)

new BlobServiceClient(
        new Uri($"https://{accountName}.blob.core.windows.net"),
        new DefaultAzureCredential());

MuthuKumaranMurugaachari-MSFT 22,151 Reputation points

2023-06-29T14:07:59.56+00:00

Domien Van Steendam Can you share more info about the app that is hosted in Azure (Azure App Service, Azure Functions or other) and how do you call FHIR service (code snippet, config etc.)?

Based on your description, the app supports managed identities (Services supporting managed identities) and make sure to assign RBAC roles such as FHIR Data Reader, FHIR Data Writer, FHIR Data Contributor for the identity when calling FHIR. Using Azure.Identity, you can connect to FHIR service endpoint as described in Managed identity support.

For example, in case of App Services/Functions, follow https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal#net-example. If you still face the issue, share the full error message, request ID/timestamp if possible.
Domien Van Steendam 45 Reputation points

2023-06-29T14:40:45.5933333+00:00
Hi Mr Muthu

Thank you for your response. Our back-end is indeed an Azure App Service. I can also succesfully create a Credential object using DefaultAzureCredential & managed identities.

Now, having this credential class, I wish to send requests to the FHIR API.

Currently I am using the FhirClient class from the Firely SDK , but I do not immediately see a way how and where I can use my previously created credential class to this FhirClient. I can send requests like this but of course I get a 401 Unauthenticated as a response

using Hl7.Fhir.Model; using Hl7.Fhir.Rest; FhirClient client = new FhirClient("https://televitastest2.azurehealthcareapis.com"); var resourceUrl = $"Patient/5c0e1382-d234-4841-afab-b16c07926a22"; var patient = client.Read<Patient>(resourceUrl); // Response: 401 Unauthenticated

Domien Van Steendam 45

I finally got it working like this. This code should work for both local and the (Azure-hosted) dev & prod environments using managed identities.

AccessToken x = await new DefaultAzureCredential().GetTokenAsync(new TokenRequestContext(
                    scopes: new[] { "https://myFhirApi.azurehealthcareapis.com/.default" }
                    ));
FhirClient client = new FhirClient("https://myFhirApi.azurehealthcareapis.com");
client.OnBeforeRequest += (object sender, BeforeRequestEventArgs e) =>
 {
  // Replace with a valid bearer token for the server
  e.RawRequest.Headers.Add("Authorization", "Bearer " + x.Token);
 };

It would be great, though, if Firely and Azure Identity SDK would integrate such that code would simply look like new FhirClient(myFhirApi, new AzureDefaultCredential())

Accepted answer

MuthuKumaranMurugaachari-MSFT 22,151 Reputation points

2023-06-29T15:33:02.3166667+00:00

Domien Van Steendam Thanks for sharing the additional details. Since you already know how to use DefaultAzureCredential in Azure App Service (DefaultAzureCredential.GetToken() to retrieve the access token), I will focus on Firely SDK part of the question.

Looking at the code snippet, it appears Authorization header was not added to FhirClient class and hence error 401 Unauthenticated was thrown. Check out Message Handlers doc and you would need to add a custom handler to FhirClient which should add Authorization before making the request. The doc has a code snippet to specifically add Authorization header and you can also add additional headers if needed.

If you have any more questions about the usage of firely-net-sdk, I suggest you posting it in repo: Issues and for Discussions. I hope this helps and let me know if you have any questions.

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.
Please sign in to rate this answer.

1 person found this answer helpful.
Domien Van Steendam 45 Reputation points

2023-06-29T17:42:41.13+00:00

I finally got it working like this. This code should work for both local and the (Azure-hosted) dev & prod environments using managed identities.

AccessToken x = await new DefaultAzureCredential().GetTokenAsync(new TokenRequestContext( scopes: new[] { "https://myFhirApi.azurehealthcareapis.com/.default" } )); FhirClient client = new FhirClient("https://myFhirApi.azurehealthcareapis.com"); client.OnBeforeRequest += (object sender, BeforeRequestEventArgs e) => { // Replace with a valid bearer token for the server e.RawRequest.Headers.Add("Authorization", "Bearer " + x.Token); };

It would be great, though, if Firely and Azure Identity SDK would integrate such that code would simply look like new FhirClient(myFhirApi, new AzureDefaultCredential())

MuthuKumaranMurugaachari-MSFT 22,151 Reputation points

2023-06-29T17:47:11.8666667+00:00

Domien Van Steendam Glad that you got it working. Thanks for sharing the code snippet :)
Sign in to comment

Authenticate to FHIR API without manually requesting an access token

0 additional answers