As the internet suggests “While often used interchangeably, authentication and authorization represent fundamentally different functions. Authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.”
Considering you already have an App in place for which you are having a Authentication mechanism already deployed and for some reason you want to off-board some task to a Logic app. Let’s say sending emails? with configurations that you wish to keep away from the rest of the app, BUT! you want your logic app to have the same Authorization (or explicit) as the rest of the API’s in your app have. Probably consume the same jwt token for logic app as well.
So what exactly you’ll need…
1. Logic App
2. Token from a valid Issuer
Setting up the logic app.
Go to portal.azure.com -> Create a Resource -> Search for “Logic App” -> Create.
Fill up the Subscriptions and Instance Details -> review & create.
The logic of logic app could be anything but let’s say you use it as a web-hook and start with when a HTTP request is received.
Click Save and that will generate you a HTTP Trigger Endpoint.
Considering we’re good here, let’s move to the Authorization part.
Setting Up Authorization.
We will be setting up Authorization using the Azure Active Directory Authorization Policies (Ref)
Use your JWT Token Decode it and get the Issuer, Audience and any other Claims that you wish to add a check against.
In the logic app, Under settings click on Authorization and click on Add Policy.
You can have multiple Policies configured here, but good to note when your logic app receives an incoming request that includes an authentication token, Azure Logic Apps compares the token’s claims against the claims in each authorization policy. If a match exists between the token’s claims at least the claims in a minimum of one policy, authorization succeeds.
At the minimum, the Claims list must include the Issuer claim, which has a value that starts with the https://sts.windows.net/ or https://login.microsoftonline.com/ as the Azure AD issuer ID. And for this to work make sure you remove the SAS part from the HTTP Trigger URI, else this gets overridden and the logic app is authorized using the SAS key and signature.
The HTTP Trigger
Remember we kept this URL aside? now is the point to pick this up.
IMPORTANT: DO NOT USE THIS RIGHT AWAY, REMOVE THE SAS PART FROM THE ENDPOINT.
sp=<permissions>sv=<SAS-version>sig=<signature> from the copied uri.
Not removing the shared access signatures will override any authorization policy that is set in Logic app’s authorization.
In case you have both SAS and Bearer Token you might bump here,
Removed the SAS and provided an Invalid (expired) bearer token,
After providing a legit AccessToken
That’s it, Your logic app is now set up to use Azure AD OAuth for authorizing inbound requests.
By all means you can also opt for any other method mentioned here.
Pingback for assistance, your Feedback’s are always a welcome… 🙂