Azure-docs: Getting 403 even after adding a Service Principal in FHIR API Allowed Object ID
Azure documentation issue guidance
Thanks for opening an issue in the Azure technical documentation repository.
We use GitHub issues as the primary channel for customer and community feedback about the Azure documentation.
Creating an issue
We prefer that you create documentation feedback issues using the Feedback link on the published article - the feedback control on the doc page creates an issue that contains all the article details so you can focus on the feedback part.
You can also create a feedback issue here in the repo. If you do this, please make sure your issue lists:
- [ ] The relevant Azure service or technology.
- [ ] A link to the published documentation article that you have feedback about.
- [ ] Clear, specific feedback that the author can act on.
Pull requests and article contributions
If you know the change that is needed in an article, we encourage you to submit the changes directly using a pull request. If the change is large, or if you want to contribute an entire article, follow these guidelines:
- [ ] Don't surprise us with a big pull request or a pull request with a new article! Submit an issue that describes the details of the proposed large change or new article.
- [ ] Include the service or technology area.
We'll route the issue to the appropriate content team for review and discussion.
Tech support and product feedback
If you would like to contact Microsoft about other things, such as product feedback or tech support, please review these guidelines:
If you need technical support using Azure, the paid and free support options are described here: https://azure.microsoft.com/support/options/.
Each article in the Azure technical documentation contains a product feedback button - it's best to submit product feedback directly from a relevant article. Otherwise, you can submit product feedback for most Azure products in the following product feedback forum: https://feedback.azure.com/forums/34192--general-feedback.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: a4edd558-abd8-fbbe-9255-067ca0d2d039
- Version Independent ID: dd4bf590-eb0e-605a-1ac2-8b18db6d1e80
- Content: Register a service app in Azure AD - Azure API for FHIR
- Content Source: articles/healthcare-apis/register-service-azure-ad-client-app.md
- Service: healthcare-apis
- Sub-service: fhir
- GitHub Login: @hansenms
- Microsoft Alias: mihansen
swapnilbjadhav
All 9 comments
It is hard to determine from this what the issue actually is. If you are getting a 403, it generally means that the token is valid (had the right authority and audience), but the user or service principal that the token is issued for is not allowed access. We support two different RBAC schemes:
- Azure RBAC: https://docs.microsoft.com/en-us/azure/healthcare-apis/configure-azure-rbac
- Local RBAC: https://docs.microsoft.com/en-us/azure/healthcare-apis/configure-local-rbac
If you are using Azure RBAC, you have to add the user or service principal in the access control panel, if you are using Local RBAC, you need to add the object id in the box for object ids. Note, the object ID is not the same as the application id, please see these details on finding identity object ids: https://docs.microsoft.com/en-us/azure/healthcare-apis/find-identity-object-ids
hansenms
on 16 Jun 2020
@hansenms i have tried with both the approaches as mentioned aboved:
- Azure RBAC: https://docs.microsoft.com/en-us/azure/healthcare-apis/configure-azure-rbac - Works fine for me no issues here
- Local RBAC: https://docs.microsoft.com/en-us/azure/healthcare-apis/configure-local-rbac - With this approach if i try to fetch the object id of my service principal using below command:
az ad sp show --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX | jq -r .objectId
it returns me the object id of the service principal and then if i add this object id under authentication section as specified in the link, it returns a valid token through postman but if i try to fetch the Patient resource it results in 403 error.
And other thing is if i try to check the token using https://jwt.ms/ it shows me the object id of the User but not the service principal and i want it to work with service principal object id
swapnilbjadhav
on 16 Jun 2020
And other thing is if i try to check the token using https://jwt.ms/ it shows me the object id of the User but not the service principal and i want it to work with service principal object id
You need to obtain a token for the service principal. If your object id in the token is not in the list of allowed object ids, you will get a 403.
Obtain a token for the service principal using "client credentials" flow (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow)
Sounds like you have added the service principal to the list but you are not actually getting a token for the service principal.
Also, we strongly recommend using Azure RBAC. The only valid use case for local RBAC is if you are using a different tenant from the one associated with your subscription.
hansenms
on 16 Jun 2020
@hansenms Yes, I have added the Object ID of Service Principal to the Allowed Object IDs list. But the token that i receive contains an object id of the user and hence the 403 error comes up.
But i am passing the correct parameters using postman still i am not able to fetch the service principal object it
Grant Type: Authorization Code
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL:https://login.microsoftonline.com/{tenantid}/oauth2/authorize?resource={fhir-api-url}
Access Token URL: https://login.microsoftonline.com/{tenantid}/oauth2/token
Client ID: Client ID from the App from App Registration
State:1234
Client Authentication: Send Client Credentials in body
i am not getting what i am missing here to fetch the service principal object id in the token
swapnilbjadhav
on 16 Jun 2020
That flow you are using is for getting a token for a user. You are using "authorization code flow". To get a token for a service principal you must use "client credentials flow" per the link above. So you would do something like:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2F{fhirservicename}.azurehealthcareapis.com%2F.default
&client_secret=XYZ
&grant_type=client_credentials
You can also do that in Postman:
hansenms
on 16 Jun 2020
@hansenms Followed the above steps as mentioned. Now i am getting below error message.
status: 401 Unauthorized
{
"resourceType": "OperationOutcome",
"id": "9f9f38a3a004174ca35de837df58129e",
"issue": [
{
"severity": "error",
"code": "login",
"diagnostics": "Authentication failed."
}
]
}
Now i am able to retrieve the correct object id of the service principal from the token but unable to fetch the /Patient resource
swapnilbjadhav
on 16 Jun 2020
So a 401 would indicate that the token is not valid in terms of authority (iss claim) and/or audience (aud claim). Please verify that the aud claim matches the "audience" you have configured for the FHIR service. Say your configured audience is https://myfhirservice.azurehealthcareapis.com then you should use scope=https://myfhirservice.azurehealthcareapis.com/.default when you request the token. If your audience is set for https://azurehealthcareapis.com, you should use scope=https://azurehealthcareapis.com/.default. The iss claim should have the correct tenant id.
A good trick is also to check the return headers when you get the 401 they should give you some information in the WWW-Authenticate challenge header.
hansenms
on 16 Jun 2020
Thanks, @hansenms my issue is resolved
swapnilbjadhav
on 18 Jun 2020
Sure thing. #please-close
hansenms
on 18 Jun 2020
Related issues
JamesDLD
·
3Comments
varma31
·
3Comments
Favna
·
3Comments
paulmarshall
·
3Comments
bdcoder2
·
3Comments