Hello,

Is there any guidance for setting up the FHIR proxy with custom domain name, such as https://emr.abc.com/fhir?

Thank you very much

Hi Team,

We followed your ONC documentation we were able to execute most of the test cases.

But when we were running Single Patient API test, we figured out that there is a slash missing at the end of the base URL.

Please find the details in the attached document.
Ticket_GitHub.docx

Kindly please help for further steps.

this line

stepresult=$(az ad app update --id $spappid --reply-urls $spreplyurls)

or this one in v2.0

stepresult=$(az ad app update --id $spappid --reply-urls $spreplyurls --identifier-uris "api://"$functionAppHost)

is not working with last version of Azure CLI due --reply-urls is no longer a valid parameter

Look into creating a notification using rest to flag pending Authorization grants.

I'm trying to follow this https://github.com/microsoft/fhir-proxy/blob/v2.0/docs/ConfigureProxyONCg10.md documentation for the Multi Patient API test for Inferno. I'm using the v2.0 branch, MSI, and AAD.

For step 7 Multi-Patient API Test in point 7, it is mentioned we need to add resource group id as a group id in the inferno.
I'm confused about which resource group id we need to use for this test.
I have two separate resources for fhir-proxy and the azure API for the FHIR server. I have tried using both resource IDs and executed the test for Multi Patient API. I'm getting the resource id by selecting the resource group ->properties->resource id.
I have 2 patients on the server. By doing this I'm receiving errors for points 7.2.05 and 7.2.06.
Can you please confirm where to get the group id for the Test 7?

For the request, https://sfp-proxy8959.azurewebsites.net/fhir/_operations/aggexport/15e7ae77-d02e-445a-89a3-8e7b6927f502 I'm getting the following error:-

I will really appreciate your help on this.

While testing with Inferno tool (g)(10) section "3 EHR Practitioner App" I'm getting this error

Steps from 3.3.01 to 3.3.04 are ok (3.3.06 also ok)

Steps from 3.3.08 to 3.6 failed because this one

3.3.07 OAuth token exchange request succeeds when supplied correct information
Error during authorization request

After obtaining an authorization code, the app trades the code for an access token via HTTP POST to the EHR authorization server's token endpoint URL, using content-type application/x-www-form-urlencoded, as described in section 4.1.3 of RFC6749.

https://inferno.healthit.gov/suites/custom/smart/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27fhirproxy-smart-client%27+asked+for+scope+%27launch%27+that+doesn%27t+exist+on+the+resource+%27740cac0e-fc65-450e-afb9-14ef9433c55e%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+632ae9f0-2173-44e8-8d97-7409c55b2d00%0d%0aCorrelation+ID%3a+acfdfb9b-1741-4134-b7ab-7f4ed42872f5%0d%0aTimestamp%3a+2022-11-16+14%3a29%3a59Z&state=0addbd03-5c46-46b0-91a7-e91096cffa50

To reproduce the error

Run test # 3 on https://inferno.healthit.gov/suites/test_sessions/3294991d-8299-4ea0-86ad-b8d5b1e87af6

Provide your Fhir Proxy Url, client and secret

Use this link to complete test https://inferno.healthit.gov/suites/custom/smart/launch?launch=123&iss=https://sfp-proxyxxx.azurewebsites.net/fhir

Hello team,

Currently I met this when running Inferno G10 test, Test case 7.2.04, follow this document
https://github.com/microsoft/fhir-proxy/blob/v2.0/docs/ConfigureProxyONCg10.md

I already turn on in the FHIR proxy
FHIRProxy.preprocessors.ONCExportPreProcess
FHIRProxy.postprocessors.ONCExportPostProcess

I go to the proxy function app and check log

Look like the export pre process and post process is already running

But it said ""The requested "export" operation is not enabled"

Not sure why

Do we need to enable the $export configuration in Azure API for FHIR itself
https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/configure-export-data

Thank you

**Describe the Issue **

When using FHIR Proxy and authentication with Azure AD,

Got this error in the SMARTProxyToken function

During OAuth 2.0 “authorization code with PKCE” grant, Azure AD requires Origin header to be present on the request to /token endpoint. If header is not present, authorization flow fails with the following error:

Error: AADSTS9002327: Tokens issued for the ‘Single-Page Application’
client-type may only be redeemed via cross-origin requests

Unfortunately, we cannot adding this header to the flow, hence the request for a token fails.

Is there a way to add a custom header into the requests that are executed behind ?

Thank you

"There was an error downloading the template from URI 'https://raw.githubusercontent.com/ToddM2/fhir-proxy-deploy/main/azuredeploy.json'. Ensure that the template is publicly accessible and that the publisher has enabled CORS policy on the endpoint. To deploy this template, download the template manually and paste the contents in the 'Build your own template in the editor' option below. "

receiving this
ERROR: argument --value: expected one argument happens during saving of client secret when the client secret starts with a "-"

Dear Microsoft FHIR-Proxy contributors
We're currently evaluating several FHIR products and by this ways I discovered Azure FHIR API and FHIR Proxy. Now, I followed the quickstart guides on how to setup Azure FHIR API. I seems to work okay with Postman. However, I can't get FHIR Proxy to work on top of Azure FHIR API. Whatever I do, I can get authorization tokens for users and call API methods like GET /patient and it seems like every authenticated user gets all patients (even those created by different users). It is pretty obvious that I'm doing something terribly wrong - or even worse, I didn't understand the concepts of FHIR and FHIR Proxy.

I'll re-setup everything tomorrow in the hope I will get it sorted out - However, if ANYONE who reads this feels empowered to support me in setting up my FHIR demo environment --> please contact me on linkedin: https://www.linkedin.com/in/thomasgalliker/ (Commercial support to be discussed, of course).

Hello

In my case, got 403 Forbidden Authorization failed
I use FHIR Proxy and Azure API for FHIR, I have added

Service principal has FHIR Data Contributor in Azure API for FHIR
My Azure AD account has FHIR Data Contributor in Azure API for FHIR
I use https://jwt.ms/ to get the oid, it is my Azure AD account, but the iss is strange

the iss https://fhir-proxy.azurehealthcareapis.com/ is not my Azure API for FHIR URL

In the OSS server, you need to make sure that you have the right app roles. You have to configure which roles have which privileges and then ensure that your user or service principal has those app roles

I also check the App Role, both the Service Principal and my Azure AD account has the role FHIR Proxy Writer/Reader, even Proxy Administrator

Could you recommend how to check or troubleshoot this?

Thank you very much

URL to file scripts/deployfhirproxy.bash

I have set up the FHIR Proxy according to the steps in this documentation: https://github.com/microsoft/fhir-proxy/tree/main/scripts#setup

I have added the Resource Reader and Writer permissions as well to the Service Principal and granted Admin Consent.

Used the Postman Environment that was generated and the Sample Postman Commands Collection to test the FHIR Proxy Endpoint.
I have retrieved access token with the following URL: https://login.microsoftonline.com/{{tenantId}}/oauth2/token
The GET Metadata request works, but unfortunately, when I try to GET patients, I am getting the following:

{
    "resourceType": "OperationOutcome",
    "id": "fb80820854f0254db3a4c725890b3ddd",
    "meta": {
        "lastUpdated": "2022-05-13T04:43:41.4825864+00:00"
    },
    "issue": [
        {
            "severity": "error",
            "code": "forbidden",
            "diagnostics": "Authorization failed."
        }
    ]
}

Is there a specific step that I am missing?

missing file postmantemplateauth.json for createpostmanproxyenv.bash

The deployment script referenced in Step 9

./createProxyServiceClient.bash

This results in an error,

bash: ./createProxyServiceClient.bash: No such file or directory

however using lowercase works fine as below

./createproxyserviceclient.bash

While testing with Inferno tool (g)(10) section "3 EHR Practitioner App" I'm getting this error

Steps from 3.3.01 to 3.3.04 are ok (3.3.06 also ok)

3.3.05 OAuth server sends code parameter
No code paramater received

• Code is a required querystring parameter on the redirect.

https://inferno.healthit.gov/suites/custom/smart/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27fhirproxy-smart-client%27+asked+for+scope+%27launch%27+that+doesn%27t+exist+on+the+resource+%27740cac0e-xxx-450e-afb9-14ef9433c55e%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+632ae9f0-xxx-44e8-8d97-7409c55b2d00%0d%0aCorrelation+ID%3a+acfdfb9b-1741-xxx-b7ab-7f4ed42872f5%0d%0aTimestamp%3a+2022-11-16+14%3a29%3a59Z&state=0addbd03-5c46-xxx-91a7-e91096cffa50

Input: ehr_client_secret taE8Q~xxxoFPTUwDltBpOVlhE3WoMsiq7VbbV
Output: ehr_code ???
To reproduce the error

To reproduce
Run test # 3 on https://inferno.healthit.gov/suites/test_sessions/3294991d-8299-4ea0-86ad-b8d5b1e87af6

Provide your Fhir Proxy Url, client and secret

Use this link to complete test https://inferno.healthit.gov/suites/custom/smart/launch?launch=123&iss=https://sfp-proxyxxx.azurewebsites.net/fhir

I have successfully completed the step 1 but I cannot see regiterproxy.bash file for step 2.
Anybody here has any idea about this?

On fhir-proxy/docs/QuickstartDeployARM-bicep.md

Prerequisites for Step 1 Deployment on bullet items under "access to the following fhir server parameters..." can you clarify or point to the specific fhir server client in reference for the server. It is assumed to be a confidential client app registration, but that is not clear.

Step 2 CLI: #12 Can you confirm the path. Found in the \scripts directory not the \templates

Step 3 Item #47. It would be helpful to have a bit more clarification. The screen shot shows "Allow unauthenticated access" as well as the CLI info. If someone elects to use require authentication can you point to additional guidance?

Step 3 Item #47. After clicking the permissions button, is this a possible output? "Permissions are only allowed to be selected on a newly created Azure Active Directory application."

This is a quickstart deployment doc, but it would be nice to have some additional guidance in "After the install" other can verification of Key vault values. Perhaps a suggestion of next step(s).

The work / functions are completed, but the proxy is passing back the incorrect error code.

Hello team,

I'm trying to retrieve the fhir procedure and Goal resources using postman.

I'm getting an error stating Could not find Patient Reference Patient/26b8f4f5-441f-481e-b50a-0cd265df4f08 in reference fields patient, performer of resource Procedure/16b495e0-c8d7-4ea4-8805-ac9a9498321c and Could not find Patient Reference Patient/26b8f4f5-441f-481e-b50a-0cd265df4f08 in reference fields patient of resource Goal/3cfadb39-d3b2-4efb-b9e7-504c6dd529d0.

If I use fhirserver Url without the proxy and make the same request, I get the correct result for both resources.

This proxy is trying to reference patient/26b8f4f5-441f-481e-b50a-0cd265df4f08 in Goal and Procedure resources. Goal and Procedure don't have a patient reference field in the FHIR R4 version.

Any idea how should I resolve this error?
Goal and Procedure Resource:-

{
"resourceType": "Bundle",
"id": "0c04e7af9f4e9e3f0d8e6e5c31e7053f",
"meta": {
"lastUpdated": "2022-11-29T02:13:52.4034336+00:00"
},
"type": "searchset",
"link": [
{
"relation": "self",
"url": "https://azure-fhir-modified.azurehealthcareapis.com/Goal"
}
],
"entry": [
{
"fullUrl": "https://azure-fhir-modified.azurehealthcareapis.com/Goal/3cfadb39-d3b2-4efb-b9e7-504c6dd529d0",
"resource": {
"resourceType": "Goal",
"id": "3cfadb39-d3b2-4efb-b9e7-504c6dd529d0",
"meta": {
"versionId": "1",
"lastUpdated": "2022-11-23T22:37:11.128+00:00",
"source": "#iLFSV7OLv0KF8dmQ",
"profile": [
"http://hl7.org/fhir/us/core/StructureDefinition/us-core-goal"
]
},
"lifecycleStatus": "active",
"description": {
"coding": [
{
"system": "http://snomed.info/sct",
"code": "281004",
"display": "Alcoholic dementia"
}
],
"text": "Alcoholic dementia"
},
"subject": {
"reference": "Patient/26b8f4f5-441f-481e-b50a-0cd265df4f08"
},
"target": [
{
"dueDate": "2020-12-07"
}
]
},
"search": {
"mode": "match"
}
}
]
}

{
"resourceType": "Bundle",
"id": "3f193d686ae0e5957b397523b42eb866",
"meta": {
"lastUpdated": "2022-11-29T01:05:57.4453493+00:00"
},
"type": "searchset",
"link": [
{
"relation": "self",
"url": "https://azure-fhir-modified.azurehealthcareapis.com/Procedure"
}
],
"entry": [
{
"fullUrl": "https://azure-fhir-modified.azurehealthcareapis.com/Procedure/16b495e0-c8d7-4ea4-8805-ac9a9498321c",
"resource": {
"resourceType": "Procedure",
"id": "16b495e0-c8d7-4ea4-8805-ac9a9498321c",
"meta": {
"versionId": "1",
"lastUpdated": "2022-11-23T22:48:56.424+00:00",
"source": "#E1VolYkq84D3M96u",
"profile": [
"http://hl7.org/fhir/us/core/StructureDefinition/us-core-procedure"
]
},
"status": "completed",
"code": {
"coding": [
{
"system": "http://snomed.info/sct",
"code": "430193006",
"display": "Medication Reconciliation (procedure)"
}
],
"text": "Medication Reconciliation (procedure)"
},
"subject": {
"reference": "Patient/26b8f4f5-441f-481e-b50a-0cd265df4f08"
},
"encounter": {
"reference": "Encounter/63b9a51e-8db9-4aaa-b477-aa0c50fdb28d"
},
"performedPeriod": {
"start": "1962-06-01T01:11:45-04:00",
"end": "1962-06-01T01:26:45-04:00"
},
"location": {
"reference": "Location/ca3ee226-241e-4c21-bafd-158cbe4a1c88",
"display": "PCP87052"
}
},
"search": {
"mode": "match"
}
}
]
}

When attempting to use the proxy using postman to get back a resource from FHiR, I am getting this error:

401

{
"severity": "error",
"code": "auth-access",
"diagnostics": "Principal is not in an authorized role"
}

What could be wrong with the service principal used to access the proxy?

Hey Microsoft and Contributors,

I am doing research on Microsoft FHIR Server and SMART.

Does your SMART Proxy support scopes at all? Like: patient/Patient.read patient/Observation.write.

Or is just basic support for the ability to authenticate via SMART? Essentially just passing the appropriate url / responses.

I don't think the SMART Proxy support scopes at this time. Just wanted to clarify.

However, it does seem that this FHIR Proxy is what was intended to do SMART scope filtering:
https://github.com/microsoft/fhir-proxy

Is that correct?

Thanks for the time.

-Blake

This issue is still present:

Generating Postman environment for proxy access...
createpostmanproxyenv.bash: line 111: postmantemplateauth.json: No such file or directory

Originally posted by @imrago-medxnote in #18 (comment)

I followed the https://github.com/microsoft/fhir-proxy/blob/v2.0/docs/ConfigureProxyONCg10.md doc using v2.0.

How do I introspect access and refresh tokens for the test 9.10.06?

Also, For test 9.3, the Proctor sheet mentioned that the proctor will introspect the access token and refresh token. I'm using AAD. Any idea how can I introspect my access token? Is AAD provide any token introspection endpoint?

For test 9.10.04, they asked the user should deny/accept offline_access scope at the time of authorization. Or the user should be notified about the offline_access scope at the time of the authorization. Any idea how should I achieve it?

In my case, I can't able to see the offline_access scope during the active directory consent screen. I'm using offline_access in inferno before test execution or while creating an app as mentioned in the documentation.

Please see below screenshot attached:-



Is anybody here, receiving the same thing for offline_access?

For test 2(Limited access), for the scope selection, UI's first scope is empty. The screen has no content for the first checkbox.

Anybody here received the same errors?
My certification is in next week. These things are very important for it. I will really appreciate your help on this.

Would like to have the Resource Group/Resources in Primary and FHIR Proxy App Reg in Secondary Tenant, because I don't have access in Primary. By default, it is getting created in Primary, and I can't add Application Service Principals to the FHIR Server Proxy in Secondary Tenant.

Re: http://hl7.org/fhir/smart-app-launch/conformance/index.html#core-capabilities

Because it's unclear from the README.md whether both EHR launch (launch-ehr) and stand-alone (launch-standalone) launch sequences are supported.

Specifically applications, such as the CMS Patient Accss API, will require the stand-alone launch sequence in combnation with other specific capabilities. Listing the SMART capabilities will help FHIR developers triage fhir-proxy for deeper evaluation.

I'm following the documentation https://github.com/microsoft/fhir-proxy/blob/v2.0/docs/ConfigureProxyONCg10.md
For step 9.3,

I need to rotate the FP-ACCESS-TOKEN-SECRET from the key-vault of the proxy.

I don't see the rotate option for FP-ACCESS-TOKEN-SECRET in my FHIR Proxy's key vault.

Here are some screenshots:-

Any idea how can I rotate this secret? Inferno is asking to do the revocation prior to the execution of the test.

Thanks in advance!

While testing with Inferno tool (g)(10) section "3 EHR Practitioner App" I'm getting an error

Steps from 3.1.01 to 3.1.04 are ok

Step 3.1.05 error

3.1.05 Well-known configuration declares support for required capabilities
The following capabilities required for this scenario are missing: launch-ehr, context-banner, context-style, context-ehr-patient, permission-user

A SMART on FHIR server SHALL convey its capabilities to app developers by listing the SMART core capabilities supported by their implementation within the Well-known configuration file. This test ensures that the capabilities required by this scenario are properly documented in the Well-known file.

well_known_configuration

{"token_endpoint":"https://sfp-xxx.azurewebsites.net/oauth2/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/c5a06aa4-xxx-4e46-86ac-b81d53d73ee6/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/c5a06aa4-xxx-4e46-86ac-b81d53d73ee6/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://sfp-xxx.azurewebsites.net/oauth2/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/c5a06aa4-xxx-4e46-86ac-b81d53d73ee6/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/c5a06aa4-xxx-4e46-86ac-b81d53d73ee6/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/c5a06aa4-xxx-4e46-86ac-b81d53d73ee6/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net","capabilities":["launch-standalone","client-public","Patient Access for Standalone Apps","sso-openid-connect","context-standalone-patient","permission-offline","permission-patient","client-confidential-symmetric"]}

To reproduce the error

Run test # 3 on https://inferno.healthit.gov/suites/test_sessions/3294991d-8299-4ea0-86ad-b8d5b1e87af6

Provide your Fhir Proxy Url, client and secret

Use this link to complete test https://inferno.healthit.gov/suites/custom/smart/launch?launch=123&iss=https://sfp-proxyxxx.azurewebsites.net/fhir

Hello team,

I'm trying to retrieve the fhir provenance resource using postman.

I'm getting an error stating Could not find Patient Reference Patient/7f1afe3a-2ad0-48cd-bbe6-6d9edf8fb483 in reference fields patient of resource Provenance/d1567109-b1d6-4d68-bc50-20fd9655d48d.
If I use fhir server Url without the proxy and make the same request, I get the correct result for the provenance resource.

This proxy is trying to reference patient/7f1afe3a-2ad0-48cd-bbe6-6d9edf8fb483 in each and every resource. Provenance doesn't have a patient reference field in the FHIR R4 version.

I'm getting the same error for resources CarePlan, Encounter, and Procedure stating could not find a patient reference
patient/7f1afe3a-2ad0-48cd-bbe6-6d9edf8fb483 in the patient reference field of CarePlan, Encounter, and Procedure Resources.

I have added fhirUser Claim as per this documentation and used patient/7f1afe3a-2ad0-48cd-bbe6-6d9edf8fb483 in the extensionAttribute.

Anybody here has any idea about this? I have been stuck on this for a long time.

Hello team,

I have added fhir proxy using the v2 branch. I used AAD as an identity provider also MSI as an authentication method.
I followed this documentation to create a smart client. https://github.com/microsoft/fhir-proxy/tree/v2.0/scripts

After creating the smart client, I can get the access token using authorization code flow, and also I can get the patient resource. (Get request is working for patient resource).
When I make a post request I'm getting a 401 error stating that Must have to Create/Write Permissions on resource type Patient.

Anybody here has any idea what I'm doing wrong here?

smart client name:- proxy10391-smart-client-2
fhir proxy:- sfp-proxy10391.azurewebsites.net
fhir server:-fhirstandalonecli
I'm adding some screenshots.

IAM blade for my fhir server:-(ADDING FHIR CONTRIBUTOR ROLE FOR MY FHIR PROXY)

API Permissions for fhir proxy:-

App Roles for fhir proxy:-

Scopes for fhir proxy:-

API Permissions for smartclient:-

Scopes and App roles are empty for smartclient.

Postman Operations:-
Getting access token:-

Get Patient Resource using the access token above:-

Error for post request:-
Header:-

Body:-

Authorization:-

I will really appreciate your help. Thanks in advance!

Hi, I am currently working on a project where I am seriously considering the use of the Azure FHIR Service from the managed Health APIs but we need to support multi-tenancy and other auth scenarios and this project looks like it could be a good fit.

My question is really if this project is mature enough that Microsoft would recommend using it in production? Also if we were to deploy this to our production environment what options of support do we have if we run into issues? I understand that this is an open source project but given that this is centred around security and authentication which is a domain that is notoriously hard to get right and very easy to mess up I am wondering how realistic it would be to maintain this ourselves if we did run into some problems and if Microsoft can provide any guidance/guarantees around it?

Also is there any other managed (PaaS) offering in Azure at the moment which we could leverage to provide multi-tenancy around the Azure FHIR Server or is this proxy our best bet?

Many thanks!

Hello,

I run the Inferno test for Multi Patient.
The test 7.2.05 is failed

The last API call is get 500 error, more details

Check the log in FHIR proxy, function name "ProxyFunction"

This is unknown error

I check the export storage account and see there is ndjson file in blob container

If you guys has any guidance or troubleshoot direction, please let me know

Thank you

When running the createproxyserviceclient.bash I got this warning:

WARNING: Invoking "az ad app permission grant --id xxxxx --api yyyy" is needed to make the change effective

when I execute that, I am getting the following error:

"Insufficient privileges to complete the operation."

Running it as an admin. What needs to be changed?

I followed the v2.0 branch documentation for the g(10) certification. I'm using MSI and AAD.

I have received the proctor sheet from the Drummond group for the g(10) certification, in the proctor sheet they mentioned that for tests standalone patient API, limited access app, EHR APP, and single patient API after selection of the scopes user should enter user id and password.

If I use my Microsoft account userid/password for this then after the first test user gets cached in the browser and for the next tests it does not ask for userid/password. I'm not sure if we should Microsoft account userid and password for this or not
Here right now proxy only asks for userid. Please see the screenshot attached. Also, the first checkmark doesn't have any value. Why it is empty?

I also have questions about the visual inspection, they are expecting a demonstration about client registration for single and multiple patients. Any idea how can I create clients for single and multiple patients? Do I have to show them the client registration steps of standalone patient API and Multiple Patent API?

Also, the user should know about the offline_accesss scope. How can I achieve this?
I will really appreciate your help on this. My deadline is very near for the certification.

The script prompt indicates that MSI is the default however the script actually uses the #defAuthType variable to set the default... So the text in the prompt needs to be updated to remove the "default of MSI" text.

echo "Would you prefer an MSI Account or Service Principal for FHIR-Proxy to FHIR Service Authorization"
echo "Press Enter to accept default of MSI or type in SP then Enter ["$defAuthType"]:"

When running bash deployfhirproxy.bash -g $RGNAME -l $LOCATION -p $PREFIX, the value of prefix is not being honored by the script and the error deployfhirproxy.bash: line 85: OPTARG: unbound variable is outputted.

Hi Team,

When we run test case 7.2.05 Bulk Data Server returns "202 Accepted" or "200 OK" for status check

We are getting 404.

Request Details: https://sfp-onc-app.azurewebsites.net/fhir_operations/export/84f7b057-c141-4ca4-a4c5-c0cbd05e6291

Cross checked in storage account, we are able to see the container with 84f7b057-c141-4ca4-a4c5-c0cbd05e6291, and previous data are exported.

Kindly let us know if we are missed something

There are authorization errors when using SMART on FHIR proxy with the latest FHIR client library, namely:

• AAD Authentication seems to require client secret. Setting this up is either missing from the documentation, or is not clear enough.
• After adding AAD Secret to the request, it still fails. This is due to the changed API of the FHIR client library, which returns Promise<Client> on successful authentication sequence, instead of just accepting the callback.

Please note that I'm using the following set-up:

• Microsoft Health Data Services Azure template,
• FHIR server created from the "Add FHIR Server" functionality of the template,
• Azure AD Application set-up according to the official documentation.

I have also enabled the following functionalities in the Authentication Blade for the App which is allowed access to the FHIR server:

• Access Tokens,
• ID Tokens,
• Allow Public Client Flows.

Running script returns error - in following line 'resource-group' is misspelled.

echo "Creating Function App MSI for KeyVault Access..."
msi=$(az functionapp identity assign --subscription $subscriptionId **--resouce-group** $resourceGroupName --name $proxyAppName --query "principalId" --out tsv)

Hello,

When I run the Single Patient API test, I met this problem

Go to more details

"fullUrl": "https://sfp-proxy23604.azurewebsites.net/fhir/Provenance/85807868-f29c-1ca9-1d2a-91665d2c4f05", "resource": { "resourceType": "OperationOutcome", "id": "3072650f-7d47-4426-ae20-e7ff1264c31d", "issue": [ { "severity": "warning", "code": "forbidden", "diagnostics": "Could not find Patient Reference Patient/e91975f5-9445-c11f-cabf-c3c6dae161f2 in reference fields patient of resource Provenance/85807868-f29c-1ca9-1d2a-91665d2c4f05" } ] },

Then I search in FHIR data for Provenance ID and saw it also has reference to this Patient ID

I think all the correct data is there in FHIR, just don't know why Inferno throw error.

If you guys can suggest any hint, any keyword or any direction to troubleshoot, I am appreciate your help

Thank you

I have inserted the Patient resource that conforms to the US Core Patient Profile. I'm getting an error for inferno which is not very clear.
I'm getting an error for point 7.3.03.
I'm following this document for ONC g(10) certification https://github.com/microsoft/fhir-proxy/blob/v2.0/docs/ConfigureProxyONCg10.md.
I have followed every step for test 7 (Multi Patient API) from the above document.

For enabling export on the FHIRSERVER I have performed following steps:-

1. Enabled Managed Identity on Azure API for FHIR.
2. Created an Azure storage account in the same resource of FHIRSERVER and assigned permissions to Azure API for FHIR to the storage account.
3. Selected the storage account in Azure API for FHIR as export storage account.

I have followed it from this document:- https://learn.microsoft.com/en-us/azure/healthcare-apis/azure-api-for-fhir/configure-export-data

Do I have to perform any other operations on the FHIR Server? Like in the networking tab of my storage account I have selected Enable from all networks. Do I have to select Enabled from selected virtual networks and IP addresses?

When I try to access NDJSON file for FHIR resources I get the status 500.
Please guide me with this. I have spent a long time on it and my deadline for ONC certification is very near.

THIS IS THE INPUT AND VALUE FOR THE REQUEST:-

status_output:-

[{"type":"AllergyIntolerance","url":"https://sfp-proxy23209.azurewebsites.net/fhir/_exportFile/6046bf68-ddbb-47a4-b60c-9727e792879e/20221123T202715-a5aa47db-b2ae-4567-bedf-a2716d094573/AllergyIntolerance-1.ndjson","count":2},{"type":"Group","url":"https://sfp-proxy23209.azurewebsites.net/fhir/_exportFile/6046bf68-ddbb-47a4-b60c-9727e792879e/20221123T202715-a5aa47db-b2ae-4567-bedf-a2716d094573/Group-1.ndjson","count":2},{"type":"Patient","url":"https://sfp-proxy23209.azurewebsites.net/fhir/_exportFile/6046bf68-ddbb-47a4-b60c-9727e792879e/20221123T202715-a5aa47db-b2ae-4567-bedf-a2716d094573/Patient-1.ndjson","count":2},{"type":"Provenance","url":"https://sfp-proxy23209.azurewebsites.net/fhir/_exportFile/6046bf68-ddbb-47a4-b60c-9727e792879e/20221123T202715-a5aa47db-b2ae-4567-bedf-a2716d094573/Provenance-1.ndjson","count":1}]

requires_access_token

true

bearer_token

eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJvaWQiOiI2MDQ2YmY2OC1kZGJiLTQ3YTQtYjYwYy05NzI3ZTc5Mjg3OWUiLCJ0aWQiOiI2MDQ2YmY2OC1kZGJiLTQ3YTQtYjYwYy05NzI3ZTc5Mjg3OWUiLCJzZXJ2aWNlQ2xpZW50Ijoic3lzdGVtIiwic2NwIjoic3lzdGVtLioucmVhZCBzeXN0ZW0uX29wZXJhdGlvbnMuKiIsImlzcyI6Imh0dHBzOi8vZmhpci1wcm94eS5henVyZWhlYWx0aGNhcmVhcGlzLmNvbSIsImF1ZCI6Imh0dHBzOi8vc2ZwLXByb3h5MjMyMDkuYXp1cmV3ZWJzaXRlcy5uZXQvb2F1dGgyL3Rva2VuIiwic3ViIjoiNjA0NmJmNjgtZGRiYi00N2E0LWI2MGMtOTcyN2U3OTI4NzllIiwibmJmIjoxNjY5MjM1MjMzLCJleHAiOjE2NjkyMzg4MzIsImlhdCI6MTY2OTIzNTIzM30.b6hXwQVdonn5jgZuCgH7BCQScYzbyxoS4zaUnxR16OFStjb5vun2Qnr80sdzoCFb

bulk_download_url

https://sfp-proxy23209.azurewebsites.net/fhir/_exportFile/6046bf68-ddbb-47a4-b60c-9727e792879e/20221123T202715-a5aa47db-b2ae-4567-bedf-a2716d094573/AllergyIntolerance-1.ndjson

lines_to_validate

bulk_patient_ids_in_group

26b8f4f5-441f-481e-b50a-0cd265df4f08, 6b0ad32c-eb5d-4db1-81bc-000369b9a1f5

bulk_device_types_in_group

I have no idea how to debug this. Do you have any insights on this? I will really appreciate your help.

Hello team,

I basically got standalone launch working using this (https://github.com/microsoft/fhir-proxy/tree/v2.0/scripts).
I'm using AAD as an identity provider and MSI as the authentication method.
I want to pass the g(10) certification for ONC. I have given added permissions for every fhir resource.
For the limited access launch app, I need to give access to only some resources for the same client.
Any idea how can I achieve it? Seems like I can accept/deny all. I cannot select an individual.
I want to achieve something like this for my permissions for the smart client I have created.

I will really appreciate your help guys!

I'm using the v2.0 branch and following the ONC g(10) documentation.

For a Standalone patient App test, All selected scopes are not appearing on the scope selection screen.
I'm passing all the scopes mentioned in the documentation while registering the client.


In the above screenshot first scope is empty and we are not able to see the launch/patient, openid and fhirUser scopes.
If I use the reference server, I can see these scopes. Please see the below screenshot:-

Any idea how can I add the remaining scopes for the proxy?

My deadline for the certification is very near. I will really appreciate your help on this.

Are there dedicated Microsoft Microsoft Healthcare Team support pathways for assistance with FHIR Open Source project implementations? If so, can you define how those resources are accessed/procured?

Hello,

When I run the Inferno test, test 4.10.08, Single Patient.

I met this problem

This is the NDJSON DocumentReference.identifier we use

"identifier":[{"system":"urn:ietf:rfc:3986","value":"DiagnosticReport/957e9339-9750-cd16-4733-0fdd47295465"}],

If you guys has any guidance or troubleshoot direction, please let me know

Thank you

Can you elaborate on the difference the SMART on FHIR proxy (Azure API for FHIR option) and the open source project fhir-proxy (gateway). I assume they can co-exist.

How can I disable the 2FA so I don't have to enter the code after the password? This is for the g(10) certification. I'm using the v2 branch, AAD and MSI.

I followed these steps but it did not work.

Go to the Azure Portal https://portal.azure.com/#home and sign in with the admin account for your organisation. Click on the hamburger icon to expand the menu and select Azure Active Directory. Select Properties from the left navigation menu. Click Manage security defaults, and toggle NO for Enable security defaults.