Authorization for Azure Logic Apps (token based)


As the internet suggests “While often used interchangeably, authentication and authorization represent fundamentally different functions. Authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.”

Considering you already have an App in place for which you are having a Authentication mechanism already deployed and for some reason you want to off-board some task to a Logic app. Let’s say sending emails? with configurations that you wish to keep away from the rest of the app, BUT! you want your logic app to have the same Authorization (or explicit) as the rest of the API’s in your app have. Probably consume the same jwt token for logic app as well.

So what exactly you’ll need…
1. Logic App
2. Token from a valid Issuer

Setting up the logic app.

Go to portal.azure.com -> Create a Resource -> Search for “Logic App” -> Create.
Fill up the Subscriptions and Instance Details -> review & create.
Done.

The logic of logic app could be anything but let’s say you use it as a web-hook and start with when a HTTP request is received.

For the sake of simplicity – but of course you can be creative.

Click Save and that will generate you a HTTP Trigger Endpoint.

(take a note of this URL we will come back to this at a later point)

Considering we’re good here, let’s move to the Authorization part.

Setting Up Authorization.

We will be setting up Authorization using the Azure Active Directory Authorization Policies (Ref)

Use your JWT Token Decode it and get the Issuer, Audience and any other Claims that you wish to add a check against.

Decode your existing token and extract these values in case you don’t have them already.

In the logic app, Under settings click on Authorization and click on Add Policy.

Red – Standard Claims, Green – Custom claims

You can have multiple Policies configured here, but good to note when your logic app receives an incoming request that includes an authentication token, Azure Logic Apps compares the token’s claims against the claims in each authorization policy. If a match exists between the token’s claims at least the claims in a minimum of one policy, authorization succeeds.  

At the minimum, the Claims list must include the Issuer claim, which has a value that starts with the https://sts.windows.net/  or  https://login.microsoftonline.com/ as the Azure AD issuer ID.  And for this to work make sure you remove the SAS part from the HTTP Trigger URI, else this gets overridden and the logic app is authorized using the SAS key and signature.

The HTTP Trigger

Remember we kept this URL aside? now is the point to pick this up.

IMPORTANT: DO NOT USE THIS RIGHT AWAY, REMOVE THE SAS PART FROM THE ENDPOINT.

https://<request-endpoint-URI>sp=<permissions>sv=<SAS-version>sig=<signature&gt;
Remove sp=<permissions>sv=<SAS-version>sig=<signature> from the copied uri.

Not removing the shared access signatures will override any authorization policy that is set in Logic app’s authorization.

In case you have both SAS and Bearer Token you might bump here,

Removed the SAS and provided an Invalid (expired) bearer token,

After providing a legit AccessToken

And the Mail is Received.

That’s it, Your logic app is now set up to use Azure AD OAuth for authorizing inbound requests.
By all means you can also opt for any other method mentioned here.

Pingback for assistance, your Feedback’s are always a welcome… 🙂

Regards,
Aditya Deshpande

4 thoughts on “Authorization for Azure Logic Apps (token based)

  1. Hi Aditya – Thank you so much for writing this article! This is something I really need right now. I am just stuck on the last part :

    “Remove sp=sv=sig= from the copied uri.”

    The URL is greyed out – how do I remove this?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s