Authentication: Azure AD B2C Integration

FHIR Resource Claim Mapping

Configure Azure AD B2C to establish granular relationships between directory users and FHIR resources through custom claims:

1. Directory Configuration

Required Custom Attributes:

extension_entity_type: FHIR resource category (Patient/Practitioner/RelatedPerson)
extension_entity_id: Unique identifier in FHIR resource system

Implementation Rationale:

This approach described here replaces Microsoft's fhirUser claim with discrete resource typing for:

Precise access control boundaries

Multi-resource user associations

Simplified audit trail generation

Application Registration Template

// Preserved original configuration  
{  
  "auth": {  
    "systems": [{  
      "type": "oauth",  
      "parameters": {  
        "jwks_uri": "https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=<policy>",  
        "issuer": "https://<tenant>.b2clogin.com/<tenant-id>/v2.0/",  
        "entity_type_claim": "extension_entity_type",  
        "entity_id_claim": "extension_entity_id"  
      }  
    }]  
  }  
}  

Key Parameters:

jwks_uri: Dynamic keyset endpoint for token validation
entity_type_claim: FHIR resource type assertion
entity_id_claim: Target resource identifier

Portal Configuration Workflow

Policy Configuration

Implementation Steps:

Create user flow with "Email" identity provider
Add both extension attributes as Application Claims
Configure token issuer to include claims in ID/access tokens

Token Validation Process

Expected Claims Structure

{  
  "aud": "api://medbackend",  
  "iss": "https://medb2c.b2clogin.com/tenant-id/v2.0/",  
  "extension_entity_type": "Patient",  
  "extension_entity_id": "c6a5ef32-72b7-45e1-8faa-9e89807b5192",  
  "scp": "patient.read practitioner.read"  
}  

Validation Checks:

JWT signature via JWKS endpoint
entity_type matches scoped resource types
entity_id exists in designated FHIR system

Operational Guidance

Troubleshooting Matrix

Symptom	Diagnostic Steps	Resolution
Invalid entity_type	Verify B2C user flow application claims	Reassign custom attributes
Token rejection	Validate `jwks_uri` connectivity	Update authority configuration
Scope mismatch	Audit token scopes vs FHIR policies	Regenerate app registration permissions

Security Best Practices

Configure claim validation in middleware:

# Pseudocode - Token validation  
validate_claims(required_claims={  
  "extension_entity_type": ["Patient", "Practitioner"],  
  "extension_entity_id": UUID_PATTERN  
})  

Rotate B2C policy keys quarterly
Enable token binding for sensitive operations

FHIR Resource Claim Mapping​

1. Directory Configuration​

Application Registration Template​

Portal Configuration Workflow​

Policy Configuration​

Token Validation Process​

Expected Claims Structure​

Operational Guidance​

Troubleshooting Matrix​

Security Best Practices​