Please check the response headers. You likely have one of two problems:

1. You are getting return code 401 and a header of invalid audience. In that case, you need to ask for a token for the "audience" that your FHIR server has been configured with.
2. You are getting a return 403, which means that the object id of your user (the oid claim in your token, which you can inspect with something like https://jwt.ms) is not in your list of allowed object ids (https://docs.microsoft.com/en-us/azure/healthcare-apis/find-identity-object-ids).

it is a 401 return code - I can see the audience in fhir api in azure portal. would I add a --audience parameter to the command above

It is the resource parameter in:

az account get-access-token --resource=https://azurehealthcareapis.com

resource and audience (claim aud) are equivalent. Whatever resource you ask for a token for has to be the same as the audience you have configured in the portal.

Also, check the response headers in Postman, they will tell you if the audience is invalid. And make sure there is not a trailing slash at then end of one and not the other.

www-authenticate = Bearer error="invalid_token"

Nothing about audience in the response headers

Can you paste the token into something like https://jwt.ms and just make sure that you didn't miss any characters or anything like that when you copied it.

Also, did you configure the FHIR service with the AAD tenant of your subscription as the "Authority". That is the default, but in case you changed it that could be something else to check.

Most likely you copied the token incorrectly.

It cannot decode the token
It starts with
{"resourceType":"Bundle","id":"
and ends with
azurehealthcareapis.com/Patient"}]}

Have I got the right token?

No you do not that the token right. That looks like some like some FHIR JSON. The token is the access token (Bearer token) you get from the command:

az account get-access-token --resource=https://azurehealthcareapis.com

When running that command you get a "token response" one of the fields in that token response is the access_token, that is what you need to paste into the Bearer token field in Postman.

It should looks like a long string of characters starting with something like eyJ0eXAiO... (lots more characters). It is a JWT, it is 3 . separated Base64 encoded segments.

Dam I was using the fhir response as the token, not the token.

Many thanks for you time all sorted now

close

Sure thing.

please-close

@hansenms Thanks for the super quick response. :+1:

Yes very quick and helpful thanks.

Hi hansenms ,

token created with Shell expire every 20 minutes.
is it possible to have one which does not expire ?

The life time of the token is something that is set in Azure Active Directory by the directory administrator, however tokens with infinite lifetime or even long life should not be created. It would not be considered secure.

thanks for your reply , but how to set token (1 year) in AD ?

I don't think AAD will allow you to do that. For an access token, I think the max is 1 day, but I could be wrong. Look somewhere like here for details:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Note even if it was possible, it would not be considered best practice to issue an access token with lifetime of one year.