search

microsoft / dicom-server

OSS Implementation of DICOMweb standard
MIT License
466 stars 175 forks source link

Unable to get corresponding FHIR resource(Patient's data) in FHIR service. #3045

Closed HitakshiDobariya99 closed 1 year ago

HitakshiDobariya99 commented 1 year ago

I've deployed DICOM Cast successfully. And performed all the steps of Sync Medical Imaging Server for DICOM metadata into FHIR Server for Azure. But unable to get the corresponding FHIR resources in FHIR service.

I've confusion in some steps of this doc.

1. While Setting the Authentication for your FHIR & DICOM App Services, I'm unable to set Audience, Authority, and Security: Enabled in DICOM service, and unable to set Security: Enabled in FHIR service. image

2. While Updating Key Vault for DICOM Cast, In a document you've mentioned "Search for your Service Principle". Under the select principal, Which principle should I select? User Principle or Enterprise Application Principle? If Enterprise Application Principle then which application should I select? image

Right now, I've not authenticated the DICOM service, and In the service principle, I've selected the user principle.

Here is the detailed container log:

info: Azure.Identity[1]
      DefaultAzureCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[1]
      EnvironmentCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[3]
      EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
info: Azure.Identity[1]
      WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[3]
      WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
info: Azure.Identity[1]
      ManagedIdentityCredential.GetToken invoked. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId: 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] MSAL MSAL.NetCore with assembly version '4.54.1.0'. CorrelationId(0c85f10d-5c3c-4f91-a149-c05e7048dae4)
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] === AcquireTokenForClientParameters ===
      SendX5C: False
      ForceRefresh: False

info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] 
      === Request Data ===
      Authority Provided? - True
      Scopes - https://dicom.healthcareapis.azure.com
      Extra Query Params Keys (space separated) - 
      ApiId - AcquireTokenForClient
      IsConfidentialClient - True
      SendX5C - False
      LoginHint ? False
      IsBrokerConfigured - False
      HomeAccountId - False
      CorrelationId - 0c85f10d-5c3c-4f91-a149-c05e7048dae4
      UserAssertion set: False
      LongRunningOboCacheKey set: False
      Region configured: 

info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] === Token Acquisition (ClientCredentialRequest) started:
         Scopes: https://dicom.healthcareapis.azure.com
        Authority Host: login.microsoftonline.com
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [Region discovery] Not using a regional authority. 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:31Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [Instance Discovery] Skipping Instance discovery because it is disabled. 
info: Azure.Core[1]
      Request [467f2d30-036f-41e2-ab12-9619b63ec6c7] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
      Metadata:REDACTED
      x-ms-client-request-id:467f2d30-036f-41e2-ab12-9619b63ec6c7
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Identity/1.10.0 (.NET 7.0.10; Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022)
      client assembly: Azure.Identity
info: Azure.Core[5]
      Response [467f2d30-036f-41e2-ab12-9619b63ec6c7] 200 OK (00.0s)
      Date:Thu, 14 Sep 2023 13:58:32 GMT
      Content-Type:application/json
      Content-Length:1438

info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Checking client info returned from the server..
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Saving token response to cache..
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [SaveTokenResponseAsync] ID Token not present in response. 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Cannot determine home account id - or id token or no client info and no subject 
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Looking for scopes for the authority in the cache which intersect with https://dicom.healthcareapis.azure.com
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Intersecting scope entries count - 0
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] 
        === Token Acquisition finished successfully:
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4]  AT expiration time: 09/15/2023 12:56:16 +00:00, scopes: https://dicom.healthcareapis.azure.com. source: IdentityProvider
info: Azure.Identity[8]
      False MSAL 4.54.1.0 MSAL.NetCore .NET 7.0.10 Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022 [2023-09-14 13:58:32Z - 0c85f10d-5c3c-4f91-a149-c05e7048dae4] Fetched access token from host login.microsoftonline.com. 
info: Azure.Identity[2]
      ManagedIdentityCredential.GetToken succeeded. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  ExpiresOn: 2023-09-15T12:56:16.0260624+00:00
info: Azure.Identity[13]
      DefaultAzureCredential credential selected: Azure.Identity.ManagedIdentityCredential
info: Azure.Identity[2]
      DefaultAzureCredential.GetToken succeeded. Scopes: [ https://dicom.healthcareapis.azure.com ] ParentRequestId:  ExpiresOn: 2023-09-15T12:56:16.0260624+00:00
crit: Microsoft.Health.DicomCast.Core.Features.Worker.DicomCastWorker[0]
      Unhandled exception.
      Microsoft.Health.Dicom.Client.DicomWebException: Forbidden: Authorization failed.
         at Microsoft.Health.Dicom.Client.DicomWebClient.EnsureSuccessStatusCodeAsync(HttpResponseMessage response, Func`5 additionalFailureInspector) in /_/src/Microsoft.Health.Dicom.Client/DicomWebClient.cs:line 219
         at Microsoft.Health.Dicom.Client.DicomWebClient.GetChangeFeedLatest(String queryString, CancellationToken cancellationToken) in /_/src/Microsoft.Health.Dicom.Client/DicomWebClient.ChangeFeed.cs:line 41
         at Microsoft.Health.DicomCast.Core.Features.DicomWeb.Service.ChangeFeedRetrieveService.RetrieveLatestSequenceAsync(CancellationToken cancellationToken) in /_/converter/dicom-cast/src/Microsoft.Health.DicomCast.Core/Features/DicomWeb/Service/ChangeFeedRetrieveService.cs:line 41
         at Microsoft.Health.DicomCast.Core.Features.Worker.ChangeFeedProcessor.ProcessAsync(TimeSpan pollIntervalDuringCatchup, CancellationToken cancellationToken) in /_/converter/dicom-cast/src/Microsoft.Health.DicomCast.Core/Features/Worker/ChangeFeedProcessor.cs:line 70
         at Microsoft.Health.DicomCast.Core.Features.Worker.DicomCastWorker.ExecuteAsync(CancellationToken cancellationToken) in /_/converter/dicom-cast/src/Microsoft.Health.DicomCast.Core/Features/Worker/DicomCastWorker.cs:line 95
info: Microsoft.Hosting.Lifetime[0]
      Application is shutting down...
poadhika commented 1 year ago

It looks like you are trying to add the secrets to the keyvault but having trouble assigning the proper role that would allow you to add secrets to keyvault. image

The above instruction is simply suggesting to add the servicepriciple that will be used to access that keyvault. If you are doing it manually and are logged in as yourself, then you should add your servicepriciple. But if this is automated process and you have created an app via appregistration in AAS which should be accessing the keyvault then add the appid of this app. Regardless of whatever serviceprinciple youa re using, that servicepriciple should have keyvault contributor access.

Overall the goal is allow to add all these properties to the keyvault. image

HitakshiDobariya99 commented 1 year ago

Thank you for your reply, I've selected the user principle and am able to add DICOM & FHIR server secrets, But still unable to get the corresponding FHIR resources (Patient's data) in the FHIR service.

Right now, I've not authenticated the DICOM service. You can see the logs for more details.

poadhika commented 1 year ago

Did you add the dicom data owner and fhir data contributor roles to that userprinciple on the corresponding dicom and fhir server? Also what is the dicom-audience value you added?

HitakshiDobariya99 commented 1 year ago

Yes, I've added DICOM data owner and FHIR data contributor roles to the user principle. I'm unable to edit the authority and audience value of the DICOM server. So, I'm providing the default dicom-audience value which is provided by Azure.

image

HitakshiDobariya99 commented 1 year ago

environment credential and workload identity credential are not fully configured: here is the detailed container log:

info: Microsoft.Health.DicomCast.TableStorage.Features.Storage.TableServiceClientInitializer[0]
      Created Table named 'TransientRetryExceptionTable'
info: Microsoft.Health.DicomCast.TableStorage.Features.Storage.TableServiceClientInitializer[0]
      Table Storage and tables successfully initialized
info: Azure.Identity[1]
      DefaultAzureCredential.GetToken invoked. Scopes: [ https://dc2healthdataservice-dc2fhirservice.fhir.azurehealthcareapis.com ] ParentRequestId: 
info: Azure.Identity[1]
      EnvironmentCredential.GetToken invoked. Scopes: [ https://dc2healthdataservice-dc2fhirservice.fhir.azurehealthcareapis.com ] ParentRequestId: 
info: Azure.Identity[3]
      EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://dc2healthdataservice-dc2fhirservice.fhir.azurehealthcareapis.com ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
info: Azure.Identity[1]
      WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://dc2healthdataservice-dc2fhirservice.fhir.azurehealthcareapis.com ] ParentRequestId: 
info: Azure.Identity[3]
      WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://dc2healthdataservice-dc2fhirservice.fhir.azurehealthcareapis.com ] ParentRequestId:  Exception: Azure.Identity.
 (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
info: Azure.Identity[1]
      ManagedIdentityCredential.GetToken invoked. Scopes: [ https://dc2healthdataservice-dc2fhirservice.fhir.azurehealthcareapis.com ] ParentRequestId:
poadhika commented 1 year ago

Let me start from the beginning. How are you deploying dicom and fhir? Are you deploying Dicom OSS via app service or you have a managed Dicom and Fhir service?

Setting up authority and audience is needed only of you are deploying oss using app service. You donot need to set up anything if you are using managed dicom service. The only set up you would need is this: https://github.com/microsoft/dicom-server/blob/main/docs/how-to-guides/sync-dicom-metadata-to-fhir.md#update-key-vault-for-dicom-cast.

You can use this document to reference as well. This document is focused on provisioning dicomcast under private link but it also talks about regular setups needed. https://github.com/microsoft/dicom-server/blob/main/converter/dicom-cast/docs/workingWithPrivateLink.md

HitakshiDobariya99 commented 1 year ago

Hello @poadhika

I'm deploying DICOMCAST with OSS approach. I've already deployed the DICOM service and FHIR service. While deploying DICOMCast with OSS, I'm adding DICOM and FHIR service endpoints.

I've followed this documentation: https://github.com/microsoft/dicom-server/blob/main/docs/how-to-guides/sync-dicom-metadata-to-fhir.md#update-key-vault-for-dicom-cast

I did not get the option in Azure DICOM services for setting up authority and audience, it is available and we could set these two parameters in Azure FHIR service.

There is no documentation defined to set these two parameters (authority and audience) for Azure DICOM services, if you have any other way defined then please suggest.