Share via

how to fix GET Patient from fhir.azurehealthcareapis.com when successful access token request

ngsailor 0 Reputation points
2025-09-03T13:57:23.3133333+00:00 

@fhirurl =https://FHIR-svcname.fhir.azurehealthcareapis.com
@clientid =xxxxxx-xxxx-xxxx-xxxx-xxxxxx
@clientsecret =xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
@tenantid =xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx


### Get access token 
POST https://login.microsoftonline.com/xxxxx-xxxx-xxx-xxx-xxxxxxx/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id={{clientid}}
&client_secret={{clientsecret}}
&scope={{fhirurl}}/.default

### Extract access token from getAADToken request
@token = getAADToken.response.body.access_token
{
  "token_type": "Bearer",
  "expires_in": 3599,
  "ext_expires_in": 3599,
  "access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1NiIsIng1dCI6IkpZaEFjVFBNWl9MWDZEQmxPV1E3SG4wTmVYRSIsImtpZCI6IkpZaEFjVFBNWl9MWDZEQmxPV1E3SG4wTmVYRSJ9.eyJhdWQiOiJodHRwczovL25nc2FpbG9yLXN2Yy5maGlyLmFxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

### GET Patient 
GET {{fhirurl}}/Patient/12345/$everything?start=2010&end=2030
Authorization: Bearer {{token}}


  "resourceType": "OperationOutcome",
  "id": "bd7298b1-e411-422d-b43e-2741f4363f16",
  "issue": [
    {
      "severity": "error",
      "code": "login",
      "diagnostics": "Authentication failed."
    }
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 18,390 Reputation points Volunteer Moderator
    2025-09-11T07:19:14.57+00:00

    hi there!

    this is a classic puzzle, and it can drive u nuts when the token looks good but the api still says no ))

    the first thing to check is the scope in your token request. u are using {{fhirurl}}/.default which is correct, but sometimes the tiny details matter. make sure the fhir url in your scope matches exactly the url u are calling later. no trailing slashes, and it must be the exact same resource identifier.

    next, the big one... does your client app registration in azure ad have the right permissions? getting a token doesnt mean u have access. u need to make sure your app is granted the fhir data plane permission, like 'fhirdata.read', for the fhir service. and an admin must have given admin consent for that permission. this might help in other tools too, always double check those api permissions.

    also, check the audience claim in your token. its the 'aud' field. if u decode that access token on a site like jwt.io, u should see the audience is your fhir server url. if it isnt, thats the problem right there.

    worth looking into the access policies on the fhir service itself. even with a valid token, if your client object isnt explicitly added to the allowed list, it will be rejected. https://free.blessedness.top/azure/healthcare-apis/azure-api-for-fhir/configure-local-rbac

    try a simpler test too. instead of the $everything operation, just do a plain GET {{fhirurl}}/Patient. sometimes complex operations have extra permission requirements.

    hope one of these tips gets u past that login error

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.