Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,624 questions
How to get access token for DICOM Service with OAuth2 grant_type=client_credentials
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 21%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Alexander Galilov
0
Reputation points
I am trying to get working access token with OAuth2 grant_type=client_credentials to get access to DICOM Service. I performed all the steps:
https://learn.microsoft.com/en-us/azure/healthcare-apis/dicom/dicom-register-application
And now I am trying to use the access token produced by OAuth2 grant_type=client_credentials request to the registered app to access DICOM data. But I get HTTP 403 error when I use the access token to load or update the data.
When I use grant_type=password, the access token works as expected: I can read and write my DICOM data.
Below are my scripts.
Script to get token via client_credentials request
#!/usr/bin/bash
TENANT="1fa9468c-81e2-46be-8fb6-57d421e024ba"
CLIENT_ID="55fe42ed-27e9-45ea-9c98-3401075e54cf" # application id
CLIENT_SECRET="app secret here" # application secret
# send post request
URL="https://login.microsoftonline.com/${TENANT}/oauth2/v2.0/token"
curl $URL \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "Connection: close" \
-d "client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&grant_type=client_credentials&\
scope=https%3A%2F%2Fdicom.healthcareapis.azure.com%2F.default" \
> json_token.json
jq -r '.access_token' json_token.json > /tmp/token
echo "TOKEN"
echo "===================="
cat json_token.json
Script to get DICOM data:
#!/usr/bin/bash
URL="https://healthdatasvcwspc-dicomwebsvc.dicom.azurehealthcareapis.com/v2/studies/1.2.246.352.71.1.164087780.146880.20130213140047\
/series/1.2.246.352.71.2.164087780.1144908.20130213140458/instances/1.2.246.352.71.3.164087780.2233470.20130213140517"
TOKEN=`cat /tmp/token`
curl $URL \
--http1.1 \
--header "Accept: multipart/related; type=\"application/dicom\"; transfer-syntax=*" \
--header "Authorization: Bearer $TOKEN" \
--output "output1.txt"
Decoded access token (doesn't allow the access to DICOM):
{
"typ": "JWT",
"alg": "RS256",
"x5t": "JDNa_4i4r7FgigL3sHIlI3xV-IU",
"kid": "JDNa_4i4r7FgigL3sHIlI3xV-IU"
}.{
"aud": "https://dicom.healthcareapis.azure.com",
"iss": "https://sts.windows.net/1fa9468c-81e2-46be-8fb6-57d421e024ba/",
"iat": 1741784077,
"nbf": 1741784077,
"exp": 1741787977,
"aio": "k2RgYGCaERT/xezErfbw8Cd/vXVPAQA=",
"appid": "55fe42ed-27e9-45ea-9c98-3401075e54cf",
"appidacr": "2",
"idp": "https://sts.windows.net/1fa9468c-81e2-46be-8fb6-57d421e024ba/",
"idtyp": "app",
"oid": "39e2584e-962e-4f91-b6e1-538c04960f50",
"rh": "1.AV8AjEapH-KBvkaPtlfUIeAkur8l53XOZupMm5pcTKrlfzMPAQBfAA.",
"sub": "39e2584e-962e-4f91-b6e1-538c04960f50",
"tid": "1fa9468c-81e2-46be-8fb6-57d421e024ba",
"uti": "fo9VR_HHOkOVT84srAsgAA",
"ver": "1.0",
"xms_idrel": "22 7"
}.[Signature]
When I use different OAuth2 request grant_type=password and provide my username and password as a request parameters, the returned token is different (see below) and it allows me to get/update my DICOM data. Is there any way to use grant_type=client_credentials for DICOM data upoad/change/download?
{
"typ": "JWT",
"alg": "RS256",
"x5t": "JDNa_4i4r7FgigL3sHIlI3xV-IU",
"kid": "JDNa_4i4r7FgigL3sHIlI3xV-IU"
}.{
"aud": "https://dicom.healthcareapis.azure.com",
"iss": "https://sts.windows.net/1fa9468c-81e2-46be-8fb6-57d421e024ba/",
"iat": 1741772885,
"nbf": 1741772885,
"exp": 1741777921,
"acr": "1",
"aio": "AWQA........PMzsA",
"amr": [
"pwd"
],
"appid": "55fe42ed-27e9-45ea-9c98-3401075e54cf",
"appidacr": "1",
"family_name": "My family name",
"given_name": "My given name",
"idtyp": "user",
"ipaddr": "2a11:3805:0:22::1",
"name": "GivenName FamilyName",
"oid": "8076b46f-ffeb-4e37-9626-03421edc12bf",
"puid": "10032003D9591189",
"rh": "1.AV8AjEapH-KBvkaPtlfUIeAkur.......TKrlfzMPARFfAA.",
"scp": "Dicom.ReadWrite",
"sid": "002fa369-2531-192c-57c0-a90971314f4e",
"sub": "wjns8P2Zm5wNRcsQzQkXKflFtIVpIzQcv_yyoaDNcaY",
"tid": "1fa9468c-81e2-46be-8fb6-57d421e024ba",
"unique_name": "******@**.com",
"upn": "******@**.com",
"uti": "JgntCc9RNEaNrwHZ0H8RAA",
"ver": "1.0",
"xms_idrel": "1 22"
}.[Signature]
Sign in to answer