Access Denied creating Child App

Question

We are trying to provision a new child app for our master applcation however we receive an AccessDenied exception when the provisioning code is run.

 

Our application id should have been granted Master Application permissions, but perhaps the AccessDenied exception indicates it has not.

 

Partial Exception Trace is:

{{{

   at CreateChildApplication.CreateApplication() in c:\cygwin\home\rseward\spinn\spinn-net\hv-utils\CreateChildApplication.cs:line 74

   at Spinn.Program.Main(String[] args) in c:\cygwin\home\rseward\spinn\spinn-net\spinn-add-child-app\Program.cs:line 41 Microsoft.Health.HealthServiceAccessDeniedException :StatusCode = AccessDenied :StatusCodeId = 11    

}}}

 

The provisioning code is as follows:

public class CreateChildApplication

{

    public CreateChildApplication()

    {


    }


    public static void CreateApplication()

    {

        String myAppId = "our-master-guid";

        

        // Create an offline connection, we use an empty Guid as personId

        // There is a bug to create a constructor without requiring a guid

        OfflineWebApplicationConnection offlineConnection =

            new OfflineWebApplicationConnection(

                new Guid(myAppId),

                " https://platform.healthvault-ppe.com/platform/wildcat.ashx ",

                Guid.Empty);

        //offlineConnection.Authenticate();

        

        // Setting up the application we want to create

        ApplicationInfo appInfo = new ApplicationInfo();

        appInfo.Name = "myechart";

        appInfo.AuthorizationReason = "Myechart needs authorization to allow you to share information and communicate online with your attending physician.";

        appInfo.Description = "Personal Health Information and Emergency Notification for an Active Lifestyle.";

        appInfo.ConfigurationOptions = ApplicationOptions.None;

        

        // get a base64 encoded logo

        appInfo.LargeLogo = new ApplicationBinaryConfiguration("my_e-chart-1.jpg","content-type\\image");

        // base64 encoded public key for this application

        appInfo.PublicKeys.Add(

            GetPublicKeyFromPfxOrP12("myechart.cer"));

        appInfo.PrivacyStatement = new ApplicationBinaryConfiguration(

            "myechart-privacy.txt", "content-type\\text");

        appInfo.TermsOfUse = new ApplicationBinaryConfiguration

            ("myechart-terms-of-use.txt", "content-type\\text");

        appInfo.ActionUrl = new Uri(" https://www.myechart.com/auth/ ");

        

        // Create the rules individually

        List<AuthorizationSetDefinition> rules = new List<AuthorizationSetDefinition>(); 

        

        rules.Add(new TypeIdSetDefinition(Microsoft.Health.ItemTypes.Basic.TypeId));

        rules.Add(new TypeIdSetDefinition(Microsoft.Health.ItemTypes.Personal.TypeId));

        rules.Add(new TypeIdSetDefinition(Microsoft.Health.ItemTypes.Allergy.TypeId));

        

        AuthorizationRule rule1 = new AuthorizationRule(

            HealthRecordItemPermissions.All,

            rules /*(AuthorizationSetDefinition)(new TypeIdSetDefinition(Basic.TypeId))*/,

            new List<AuthorizationSetDefinition>());

        appInfo.OfflineBaseAuthorizations.Add(rule1);

        // Add more rules

        Guid childAppId = Provisioner.AddApplication(offlineConnection, appInfo);

        Console.WriteLine("Provisioned child app id: "+ childAppId);

    }


    private static byte[] GetPublicKeyFromPfxOrP12(string fullPathToCerFile)

    {

        X509Certificate cert = new X509Certificate(fullPathToCerFile);

        return cert.GetRawCertData();

    }

}

 

 

The full exception trace is as follows:

{{{

Unhandled Exception: Microsoft.Health.HealthServiceAccessDeniedException: Access is denied.

   at Microsoft.Health.EasyWebRequest.WaitForCompletion() in c:\src\hsmain\private\prod\src\sdk\core\EasyWebRequest.cs:line 754

   at Microsoft.Health.EasyWebRequest.Fetch(Uri url) in c:\src\hsmain\private\prod\src\sdk\core\EasyWebRequest.cs:line 208

   at Microsoft.Health.EasyWebRequest.Fetch(Uri url, IEasyWebResponseHandler customHandler) in c:\src\hsmain\private\prod\src\sdk\core\EasyWebRequest.cs:line 249

   at Microsoft.Health.HealthServiceRequest.ExecuteInternal() in c:\src\hsmain\private\prod\src\sdk\core\HealthServiceRequest.cs:line 140

   at Microsoft.Health.HealthServiceRequest.Execute() in c:\src\hsmain\private\prod\src\sdk\core\HealthServiceRequest.cs:line 129

   at Microsoft.Health.Authentication.Credential.MakeCreateTokenCall(String methodName, Int32 version, HealthServiceConnection connection, Collection`1 appTokenCreationInfo) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\Credential.cs:line 520

   at Microsoft.Health.Authentication.Credential.MakeCreateTokenCall(String methodName, Int32 version, HealthServiceConnection connection, Guid appId, Boolean isMra) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\Credential.cs:line 436

   at Microsoft.Health.Authentication.Credential.CreateAuthenticatedSessionToken(HealthServiceConnection connection, Guid appId) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\Credential.cs:line 381

   at Microsoft.Health.Web.Authentication.WebApplicationCredential.AuthenticateKeySetPair(AuthSessionKeySetPairs keySetPairs, HealthServiceConnection connection, Guid applicationId) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\WebApplicationCredential.cs:line 1019

   at Microsoft.Health.Web.Authentication.WebApplicationCredential.AuthenticateKeySetPair(HealthServiceConnection connection, Guid applicationId) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\WebApplicationCredential.cs:line 954

   at Microsoft.Health.Web.Authentication.WebApplicationCredential.Authenticate(HealthServiceConnection connection, Guid applicationId) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\WebApplicationCredential.cs:line 378

   at Microsoft.Health.Web.Authentication.WebApplicationCredential.AuthenticateIfRequired(HealthServiceConnection connection, Guid applicationId) in c:\src\hsmain\private\prod\src\sdk\core\Authentication\WebApplicationCredential.cs:line 345

   at Microsoft.Health.Web.OfflineWebApplicationConnection.Authenticate() in c:\src\hsmain\private\prod\src\sdk\core\OfflineWebApplicationConnection.cs:line 311

   at Microsoft.Health.Web.OfflineWebApplicationConnection.CreateRequest(String

methodName, Int32 methodVersion, Boolean forAuthentication) in c:\src\hsmain\private\prod\src\sdk\core\OfflineWebApplicationConnection.cs:line 336

   at Microsoft.Health.HealthServiceConnection.CreateRequest(String methodName,

Int32 methodVersion) in c:\src\hsmain\private\prod\src\sdk\core\HealthServiceConnection.cs:line 162

   at Microsoft.Health.ApplicationProvisioning.Provisioner.AddApplication(OfflineWebApplicationConnection connection, ApplicationInfo applicationConfigurationInformation) in c:\src\hsmain\private\prod\src\sdk\core\ApplicationProvisioning\Provisioner.cs:line 131

   at CreateChildApplication.CreateApplication() in c:\cygwin\home\rseward\spinn\spinn-net\hv-utils\CreateChildApplication.cs:line 74

   at Spinn.Program.Main(String[] args) in c:\cygwin\home\rseward\spinn\spinn-net\spinn-add-child-app\Program.cs:line 41 Microsoft.Health.HealthServiceAccessDeniedException :StatusCode = AccessDenied :StatusCodeId = 11    

}}}

 

Answer 1

What's your app ID?

Answer 2

It looks like you are trying to create a Child AppId with these three data types, with Permissions.All:

        rules.Add(new TypeIdSetDefinition(Microsoft.Health.ItemTypes.Basic.TypeId));

        rules.Add(new TypeIdSetDefinition(Microsoft.Health.ItemTypes.Personal.TypeId));

        rules.Add(new TypeIdSetDefinition(Microsoft.Health.ItemTypes.Allergy.TypeId));

Assuming that you are using the 813c11ea... AppId, I can see in the config tool that you have configured these types:

Basic Demographic Information
Personal Demographic Information
Allergy

Within the raw XML of your config I see each action/permission spelled out (Read, Create, Update, Delete) but in the UI I see Permissions.All, so I don't think that a permission mismatch is the issue.

Looking in detail at the types ... I looked up the GUIDs for each of your types in our HealthRecordItemType Schema Browser at http://developer.healthvault.com/types/types.aspx and I see that each of the types that is named in my second list above has a type GUID that shows up in your configuration. 

At times I have seen confusion about which types are associated with the classes "Basic" and "Personal" but I believe that you have that mapping correct.

Your methodmask also looks correct in the config tool.

At this point, I suppose I should wait for confirmation about which AppId you are using.

---

Chris Tremonte, PM - HealthVault

Answer 3

I believe this was cleared up over email-- there was confusion over the app ID and associated configuration.