Blog Post

Azure Integration Services Blog
2 MIN READ

Azure AD OAuth Proof of Possession (PoP) for Azure Logic Apps

DivSwa's avatar
DivSwa
Icon for Microsoft rankMicrosoft
Dec 06, 2022

Azure AD OAuth Proof of Possession (PoP) for Azure Logic Apps

 

Logic Apps supports bearer-type authorization schemes for Azure AD OAuth access tokens, which means that the “Authorization” header for the access token must specify the “Bearer” type.

We have now added the support for PoP-type authorization schemes for Azure AD OAuth access tokens, which means that the “Authorization” header for the access token must specify the “PoP” type.

 

For now, the PoP support is only available in consumption Logic Apps

 

How do you get the PoP token

 

This sample uses a daemon app and shows how to use Proof Of Possession (PoP) tokens which is now available in the MSAL libraries. You can acquire Proof of Possession (PoP) tokens using MSAL if the Logic App that you want to call requires it.

Follow these steps to leverage PoP tokens for authorization in Logic Apps.

  1. Create a new ‘consumption’ Logic App or open an existing one.
  2. From the Logic app menu, select Settings, select Authorization. After the Authorization pane opens, select Add policy.

3.  Provide Policy name which can be any string and select Policy type as “AADPOP”. Under Claims, provide the key-value pair of the different claim types and values that your logic app expects in the access token presented by each inbound call to the Request trigger. Using Add standard claim, you can add any standard claims that you want to use. To add claims specific to PoP, use the Add custom claim button.

 

 

For more information, review how to provide optional claims to your app. Your custom claim is stored as a part of your JWT ID; for example, "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47". 

Updated Dec 06, 2022
Version 1.0
  • brlgen's avatar
    brlgen
    Brass Contributor

    Despite having set the authorization settings on the Logic App to do AAD PoP, the logic can still be triggered using the http trigger url without any authorization header at all . What am I doing wrong why is it allowing requests without the specified authorization?