locked
Re-authentication issue RRS feed

  • Question

  • Hi, everyone especially the HV team,

    Recently we added more features in our HV application and also the request for extra data types has been approved and made by HV team, but somehow when the user comes to our application after we deployed this new release, some of them are asked to re-authenticate, but some are not.

    When I dig deeper, I found for some reason, HV only checks if the self record under that account has re-authozized or not, that means, if a multi-record account is accessing our application, and for some reason, the self record has been granted the correct latest permission, other records will never have a chance to re-authorize which cause our application throw the error as access is denied.

    Could anybody advise what I could do? I am thinking some sort of way to force all records under the account to re-authorize the permission.

    Thanks,


    Kane Wang

    Senior Application Developer

    Guide Productions (www.guideproductions.com)

    Tuesday, April 7, 2009 6:46 PM

Answers

  • MRAs have a bit more work to do than SRAs.  You'll be seeing some changes coming up that will hopefully make things a bit easier but you'll always have a bit more to do.  Right now I recommend you use HealthRecordAccessor.QueryPermissions() to see if the AuthorizedRecord meets your apps minimum auth requirements.  If not you can use one of the WebApplicationUtilities.RedirectToShellUrl() overloads to redirect the user to the "APPAUTH" target to authorize the record.  You can specify the record ID in the "extrecordid" query string parameter of the "targetQuery" parameter.

    As Rajesh pointed out, it would be really great to have the AuthorizedRecords that are returned have a flag that indicates the re-authorization is required. The good news is that this has been implemented and should be out soon.  Another improvement we are looking into is selecting all the records by default on the app-auth page the user sees the first time they try to logon to the app after an app-auth change has been made.

    Jeff Jones
    Technical Lead
    Microsoft HealthVault Platform
    Technical Lead, HealthVault, Health Solutions Group, Microsoft Corporation
    Wednesday, April 8, 2009 3:09 PM

All replies

  • Hi, everyone,

    I found out what happened here.

    It only applys to multi-record account, when the application needs re-authorization, the user will be presented with the authorization page in HV shell, and in this page, only the self record is pre-selected, if the user is careless and clicks "Continue", the scenario I described above will happen, other records in this account will never have chance to re-authorize, but unfortunately these records authozied before (of couese not including the data types we added), therefore they appear in the PersonInfo.AuthorizedRecords in our application, but when we will get access deny exception of course when we try to load the new data types.

    So does anybody know how to tell the record has authorized the new data types? Or could HV team make change to the shell to pre-selected all previous authorized records and remove the share with our application if the record is not selected so it will not be included in the authorizedRecords collection?

    Thanks,

    Kane Wang

    Senior Application Developer

    Guide Productions (www.guideproductions.com)

    Tuesday, April 7, 2009 7:17 PM
  • One thing you could do is to trap the HealthServiceAccessDeniedException and redirect the user to the APPAUTH page after showing the user a page with enough instructions on what to do at shell....  You can probably set the ismra option which would allow the user to select multiple records in one go..

    Having said that, I still think Authorized records collection SHOULD have the records which requires reauthorization - but an additional flag exposed by platform suggesting that these records may require reauth if data access is attempted would be helpful...

    HTH
    Raj HealthVault Developer Tool http://xray.getrealconsulting.com
    Wednesday, April 8, 2009 7:39 AM
  • MRAs have a bit more work to do than SRAs.  You'll be seeing some changes coming up that will hopefully make things a bit easier but you'll always have a bit more to do.  Right now I recommend you use HealthRecordAccessor.QueryPermissions() to see if the AuthorizedRecord meets your apps minimum auth requirements.  If not you can use one of the WebApplicationUtilities.RedirectToShellUrl() overloads to redirect the user to the "APPAUTH" target to authorize the record.  You can specify the record ID in the "extrecordid" query string parameter of the "targetQuery" parameter.

    As Rajesh pointed out, it would be really great to have the AuthorizedRecords that are returned have a flag that indicates the re-authorization is required. The good news is that this has been implemented and should be out soon.  Another improvement we are looking into is selecting all the records by default on the app-auth page the user sees the first time they try to logon to the app after an app-auth change has been made.

    Jeff Jones
    Technical Lead
    Microsoft HealthVault Platform
    Technical Lead, HealthVault, Health Solutions Group, Microsoft Corporation
    Wednesday, April 8, 2009 3:09 PM
  • Thanks for the reply.

    However, I have to point out if the record does not re-authorize the permission, QueryPermission method will throw the same "Access Deny" error as well if you are querying the new data types which record has not re-authorized.

    Before the fix which may comes with the next release of HealthVault, what we will do is to try to de-authorize the record for the application if we detect such "Access Deny" error therefore the record will not be in AuthorizedRecords collection any more, also we will present user with a description why the records are not visible in our application and provide a link to the HealthVault Shell to let user re-authorize.

    Kane Wang

    Senior Application Developer

    Guide Productions (www.guideproductions.com)

    Thursday, April 9, 2009 12:09 AM
  • The only problem I see in deauthorizing and reauthorizing is that PersonId/RecordId will change when the record get reauthorized.  Applications which stores local context information based on the above guids will run into issues. 

    Raj
    Raj HealthVault Developer Tool http://xray.getrealconsulting.com
    Thursday, April 9, 2009 11:02 AM
  • Can you explain the scenario where QueryPermissions is throwing an AccessDenied error?  If the record is in the AuthorizedRecord list you are getting back from HealthVault, you should be able to call QueryPermissions on that record.  I want to make sure we don't have a bug here.

    Thanks
    Jeff Jones
    Technical Lead, HealthVault, Health Solutions Group, Microsoft Corporation
    Thursday, April 23, 2009 3:38 PM
  • Hi, Jeff,

    If it is the case, HealthVault does have a bug here. I will summarize the issue here for better understanding.

    The user has granted permissions for his records to our application before, some time later, we request more data types in our application, MS officially make the data type change happen for our application, when the user comes to our application again, he will be prompted to grant permission again, unfortunately, as the HV shell does not pre-select all records even all of these records need to be re-authorized, the user may end with re-authoring only one record if he is not that cautious, after all of these, here are what will happen in our application.

    AuthorizedRecord list still populates all records even some of them are not re-authorized, as long as the record has ever granted permission before, it will be in the list as well, when the application tries to use that record (haven't re-authorized), it will throw "Access Deny" error, you will see the error even when you call QueryPermissions.

    Hopefully it makes sense.

    Kane Wang
    Senior Application Developer
    Guide Productions (www.guideproductions.com)
    Friday, April 24, 2009 5:40 PM
  • Thanks.  I'll use your description to get a repro here and file a bug.

    Jeff Jones
    Technical Lead, HealthVault, Health Solutions Group, Microsoft Corporation
    Friday, April 24, 2009 5:44 PM
  • Jeff,

    You quoted the following, which gives me inspiration with my latest issue:

    "As Rajesh pointed out, it would be really great to have the AuthorizedRecords that are returned have a flag that indicates the re-authorization is required. The good news is that this has been implemented and should be out soon.  Another improvement we are looking into is selecting all the records by default on the app-auth page the user sees the first time they try to logon to the app after an app-auth change has been made."

    Can you please tell me if this functionality has been implemented?  If so, where can I learn more about it?

    Thanks,
    Mike
    Monday, November 9, 2009 10:06 PM
  • Take a look at HealthRecordInfo.HealthRecordAuthorizationStatus (http://msdn.microsoft.com/en-us/library/microsoft.health.healthrecordinfo.healthrecordauthorizationstatus.aspx)

    Jeff Jones
    Technical Lead, HealthVault, Health Solutions Group, Microsoft Corporation
    Monday, November 9, 2009 10:19 PM