Authentication and authorization of FHIR server

Question

I have spinned of a azure service for fhir. I want to use it with a .NET core API and I want to control the authentication and authorization inside the API. I haven't found an example where I can authenticate the webapi in azure without prompting for username and password with clientid, client secret and tenantID. And also regarding authorization, is there a way to restrict a tenant to only access certain group of patients with FHIR ?

Answer 1

You can use Azure Active Directory client credentials flow to obtain a token to access the Azure API for FHIR. In order to do this, you will need to register a service client in Azure AD. Once you have a service client application (and a secret), you can obtain a token from Azure AD with something like:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

with the following fields in the payload:

client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
&scope=https://<myfhirservice.azurehealthcareapis.com/.default
&client_secret=abcdef1234
&grant_type=client_credentials

You can then present that token to the FHIR API with the Authorization: Bearer xwy... header field.

The service principal associated with the service client application has to be granted access to the the FHIR API. It is recommended that you set that up using Azure RBAC configuration, but if you are using a different tenant from the the associated with your Azure Subscription, you will need to do local RBAC configuration.

At the moment there is no way to do "granular" access control (e.g. only certain patients). It is recommended that you implement such logic using an API management service such as Azure API Management or similar.