-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure Custom Identity provider #3921
Comments
@LodewijkSioen - Have you assigned the SMART user role ? |
As you can see in my JWT, I've put Mind that I'm using my own Identity Provider and EntraID as specified in the documentation. That documentation does not talk about any roles. |
You are correct that the token is valid, and that is why you see a 403 instead of a 401. Perhaps you have App Insights configured for your app service? It should have more details about why the 403 was returned. |
The 403 comes from the fhir service on Azure. I don't seem to be able to configure App Insights for that.
I tried to configure it locally, but there is no appsetting for the additional Identity Provides.
EDIT: what's more, there is no code in here that handles this use case...
(I need both Entra and another provider)
|
So I've dug deeper and I'm pretty sure it's the |
I made a minimal demo project to show you what I've done: https://github.com/LodewijkSioen/fhir-samples/tree/main/identity-provider |
@feordin - can you please review the demo project and help ? |
I will take a look at the sample and see if I can repro the issue. |
I downloaded the sample (thank you for that!) and I was able to get tokens that were validated and functioning. I did make one update to the Identity Provider to include the "roles" claim:
With that change I get a token like this for system scope:
or for user scope I get this token:
either of those tokens succeed with a 200. To match the tokens my appsettings.json for the FHIR service has the following security configuration:
You can see that the Audience matches the "aud" claim in the token, and the Authority matches the "iss" claim in the token. The role matches "smartUser" which is defined in roles.jon in the FHIR service code. That will result in the proper data actions being returned by the CheckAccess method that you already mentioned. I hope this helps! |
Thank you for looking into this. I already had it working against the OSS version of the Fhir Server, but it's against the Azure PaaS version that I cannot get it working. |
@feordin I dug deeper and I suspect that the Azure FHIR Service is configured to either:
But there is no way for me to know of investigate this. Also the fact that a specific role is needed is missing from the documentation. |
@LodewijkSioen is the issue resolved or are you looking for any further inputs? |
The issue is not resolved. If you us the instructions in my repo, then you'll see that it does not work.
Groeten,
Lodewijk Sioen
…________________________________
From: ketki ***@***.***>
Sent: Monday, July 8, 2024 1:59:23 PM
To: microsoft/fhir-server ***@***.***>
Cc: Lodewijk Sioen ***@***.***>; Mention ***@***.***>
Subject: Re: [microsoft/fhir-server] Configure Custom Identity provider (Issue #3921)
@LodewijkSioen<https://github.com/LodewijkSioen> is the issue resolved or are you looking for any further inputs?
—
Reply to this email directly, view it on GitHub<#3921 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAA56XTDZUDIOUWLSF4BRUTZLLHPXAVCNFSM6AAAAABJKLPP2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJUHAZTSMJTHA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@LodewijkSioen I have tried the scenario again for the Azure PaaS version. the configuration is a bit different, and it does not use the roles.json file. When using Azure Entra ID as the identity propvider we would read role infomration via Azure RBAC. For 3rd party IDPs we limit the user to only the "smart" role, and role membership is assumed. We validate the token using the appId and issuer to ensure those values match the entries in the portal. Then we check the fhirUserClaim to ensure it matches a resource in the FHIR server and determine the compartment of resources that should be made available to be read. I published the sample identity provider code in fhir-samples repo you mentioned to an app service. Then I configured my PaaS instance with the following values: I made a change to the identity provider so that it would populate the fhirUserClaim token with a valid url of a practitioner in the FHIR server:
It then generated a token like this: With that token I was able to successfully read resources within the practitioner compartment. |
Ah yes, so for the user scope, you need the full url including the domain in the A more pressing issue is that I cannot get the system scopes to work (eg |
@LodewijkSioen system scopes are not supported on external ID providers. |
That's too bad because the system scopes are what we wanted to use in our system :( |
I'm pretty sure I had this working at one time, but now I cannot get the custom Identity Provider to work. I have IdentityServer running in an app service. This is the token it generates:
I checked the fields a hundred times:
appid
claim)aud
claim)And I get the following answer from the FHIR service:
Which means that my settings are correct, otherwise I would have gotten a
401
.Why am I getting
Forbidden
? How can I troubleshoot this?The text was updated successfully, but these errors were encountered: