DEVHIDE
Login Or Sign up

Unable to get corresponding FHIR resource(Patient's data) in FHIR service

194 Views Asked by At

I've deployed DICOM Cast successfully. And performed all the steps of Sync Medical Imaging Server for DICOM metadata into FHIR Server for Azure. But unable to get the corresponding FHIR resources in FHIR service.

I've confusion in some steps of this doc.

  1. While Setting the Authentication for your FHIR & DICOM App Services, I'm unable to set Audience, Authority, and Security: Enabled in DICOM service, and unable to set Security: Enabled in FHIR service.

enter image description here 2. While Updating the Key Vault for DICOM Cast, you mentioned "Search for your Service Principle" in a document. Under the select principal, Which principle should I select? User Principle or Enterprise Application Principle? If Enterprise Application Principle then which application should I choose? enter image description here Right now, I've not authenticated the DICOM service, and In the service principle, I've selected the user principle.

Here is the detailed container log:

 info: Azure.Identity[1]
      DefaultAzureCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[1]
      EnvironmentCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[3]
      EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
info: Azure.Identity[1]
      WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[3]
      WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
info: Azure.Identity[1]
      ManagedIdentityCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] MSAL MSAL.NetCore with assembly version '4.54.1.0'. CorrelationId(0c85f10d-5c3c-4f91-a149-c05e7048dae4)
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] === AcquireTokenForClientParameters ===
      SendX5C: False
      ForceRefresh: False
      
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] 
      === Request Data ===
      Authority Provided? - True
      Scopes - https://dicom.healthcareapis.azure.com
      Extra Query Params Keys (space separated) - 
      ApiId - AcquireTokenForClient
      IsConfidentialClient - True
      SendX5C - False
      LoginHint ? False
      IsBrokerConfigured - False
      HomeAccountId - False
      CorrelationId - 0c85f10d-5c3c-4f91-a149-c05e7048dae4
      UserAssertion set: False
      LongRunningOboCacheKey set: False
      Region configured: 
      
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] === Token Acquisition (ClientCredentialRequest) started:
         Scopes: https://dicom.healthcareapis.azure.com
        Authority Host: login.microsoftonline.com
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [Region discovery] Not using a regional authority. 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [Instance Discovery] Skipping Instance discovery because it is disabled. 
info: Azure.Core[1]
      Request [467f2d30-036f-41e2-ab12-9619b63ec6c7] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
      Metadata:REDACTED
      x-ms-client-request-id:467f2d30-036f-41e2-ab12-9619b63ec6c7
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Identity/1.10.0 (.NET 7.0.10; Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022)
      client assembly: Azure.Identity
info: Azure.Core[5]
      Response [467f2d30-036f-41e2-ab12-9619b63ec6c7] 200 OK (00.0s)
      Date:Thu, 14 Sep 2023 13:58:32 GMT
      Content-Type:application/json
      Content-Length:1438
      
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Checking client info returned from the server..
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Saving token response to cache..
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [SaveTokenResponseAsync] ID Token not present in response. 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Cannot determine home account id - or id token or no client info and no subject 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Looking for scopes for the authority in the cache which intersect with https://dicom.healthcareapis.azure.com
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Intersecting scope entries count - 0
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] 
        === Token Acquisition finished successfully:
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4]  AT expiration time: 09/15/2023 12:56:16 +00:00, scopes: https://dicom.healthcareapis.azure.com. source: IdentityProvider
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Fetched access token from host login.microsoftonline.com. 
info: Azure.Identity[2]
      ManagedIdentityCredential.GetToken succeeded. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  ExpiresOn: 2023-09-15T12:56:16.0260624+00:00
info: Azure.Identity[13]
      DefaultAzureCredential credential selected: Azure.Identity.ManagedIdentityCredential
info: Azure.Identity[2]
      DefaultAzureCredential.GetToken succeeded. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  ExpiresOn: 2023-09-15T12:56:16.0260624+00:00
crit: Microsoft.Health.DicomCast.Core.Features.Worker.DicomCastWorker[0]
      Unhandled exception.
      Microsoft.Health.Dicom.Client.DicomWebException: Forbidden: Authorization failed.
         at Microsoft.Health.Dicom.Client.DicomWebClient.EnsureSuccessStatusCodeAsync(HttpResponseMessage response, Func`5 additionalFailureInspector) in /_/src/Microsoft.Health.Dicom.Client/DicomWebClient.cs:line 219
         at Microsoft.Health.Dicom.Client.DicomWebClient.GetChangeFeedLatest(String queryString, CancellationToken cancellationToken) in /_/src/Microsoft.Health.Dicom.Client/DicomWebClient.ChangeFeed.cs:line 41
         at Microsoft.Health.DicomCast.Core.Features.DicomWeb.Service.ChangeFeedRetrieveService.RetrieveLatestSequenceAsync(CancellationToken cancellationToken) in /_/converter/dicom-cast/src/Microsoft.Health.DicomCast.Core/Features/DicomWeb/Service/ChangeFeedRetrieveService.cs:line 41
         at Microsoft.Health.DicomCast.Core.Features.Worker.ChangeFeedProcessor.ProcessAsync(TimeSpan pollIntervalDuringCatchup, CancellationToken cancellationToken) in /_/converter/dicom-cast/src/Microsoft.Health.DicomCast.Core/Features/Worker/ChangeFeedProcessor.cs:line 70
         at Microsoft.Health.DicomCast.Core.Features.Worker.DicomCastWorker.ExecuteAsync(CancellationToken cancellationToken) in /_/converter/dicom-cast/src/Microsoft.Health.DicomCast.Core/Features/Worker/DicomCastWorker.cs:line 95
info: Microsoft.Hosting.Lifetime[0]
      Application is shutting down...

Here is the postman screenshot:

enter image description here

azure azure-health-data-services
Original Q&A
2

There are 2 best solutions below

11
Sridevi On

The error 403 Forbidden usually occurs if you missed adding required roles like FHIR Data Contributor to the ACI managed identity.

When I tried to get Patient's data via Postman without adding roles, I too got same error with 403 Forbidden status as below:

GET https://demofhir20.azurehealthcareapis.com/Patient

Response:

enter image description here

In your case, make sure to add FHIR Data Contributor and DICOM Data Owner role to the ACI managed identity as you are generating access token using Managed Identity authentication:

enter image description here

After assigning the role, generate access token again and call /patient API where you will get response successfully like this:

GET https://demofhir20.azurehealthcareapis.com/Patient

Response:

enter image description here

Reference: dicom-server/docs/quickstarts/deploy-dicom-cast.md at main · microsoft/dicom-server (github.com)

1
Hitakshi Dobariya On

There's no need to follow the below steps of Authentication for your FHIR & DICOM App services.

Then you will be able to get corresponding FHIR resource(Patient's data) in FHIR service. enter image description here

Related Questions in AZURE

Related Questions in AZURE-HEALTH-DATA-SERVICES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.