In this article, you'll learn how to register a resource (or API) application in Azure Active Directory. A resource application is an Azure Active Directory representation of the FHIR server API itself and client applications can request access to the resource when authenticating. The resource application is also known as the audience in OAuth parlance.
If you are using the open source FHIR Server for Azure, follow the steps below to register a resource application. to learn more about application registration in general, review the Azure API for FHIR documentation on registering applications.
-
In the Azure portal, on the left navigation panel, click Azure Active Directory.
-
In the Azure Active Directory blade click App registrations:
-
Click the New registration.
Fill in the details for the new application. There are no specific requirements for the display name, but setting it to the URI of the FHIR server makes it easy to find:
A resource application has an identifier URI (Application ID URI), which clients can use when requesting access to the resource. This value will populate the aud claim of the access token. It is recommended that you set this URI to be the URI of your FHIR server. For SMART on FHIR apps, it is assumed that the audience is the URI of the FHIR server.
-
Click Expose an API
-
Click Set next to Application ID URI.
-
Enter the identifier URI and click Save. A good identifier URI would be the URI of your FHIR server.
-
Click Add a scope and add any scopes that you would like to define for your API. You are required to add at least one scope in order to grant permissions to your resource application in the future. If you don't have any specific scopes you want to add, you can add user_impersonation as a scope.
The Azure API for FHIR and the OSS FHIR Server for Azure use Azure Active Directory application roles for role-based access control. To define which roles should be available for your FHIR Server API, you can edit the resource application's manifest or add App roles from the portal. To add app roles from the portal
- Click App roles | Preview
- Select Create app role
- Add the details from the roles file. This includes globalAdmin, globalWriter, globalReader, and globalExporter. Select Both fo Allowed member types.
If you want to update the manifest, see the details below:
"appRoles": [
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "fhir oss admin",
"displayName": "globalAdmin",
"id": "ba852bf0-43e3-46f4-88ec-5ce70f5fb6dd",
"isEnabled": true,
"value": "globalAdmin"
},
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "fhir oss writer",
"displayName": "globalWriter",
"id": "07fed378-c437-418a-97ca-8a7962abd6d6",
"isEnabled": true,
"value": "globalWriter"
},
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "fhir oss reader",
"displayName": "globalReader",
"id": "ed289d3c-3588-4469-914e-79c6cdb0f6e2",
"isEnabled": true,
"value": "globalReader"
},
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "fhir oss exporter",
"displayName": "globalExporter",
"id": "fbf16161-ddf3-42a7-8607-758a3660afe1",
"isEnabled": true,
"value": "globalExporter"
}
],When "User" is specified for the allowedMemberTypes property, the defined roles are available to assign to users and groups. When "Application" is specified for the allowedMemberTypes property, the roles are available to assign to service principals.