When working with Azure Logic Apps and needing to call an API secured with Azure AD, you might use a Service Principal Name (SPN) with certificate-based authentication to obtain a JSON Web Token (JWT). Here’s a brief guide on how to set this up and use it in an HTTP action within a Logic App Standard:
Step 1:
As per logic app document, we need to add "WEBSITE_LOAD_USER_PROFILE = 1" in Logic App AppSettings.
Reason:
For this app setting: WEBSITE_LOAD_USER_PROFILE = 1
We enable this setting so that the runtime can load the certificates. The certificates are stored in user profile.
Reference:
https://learn.microsoft.com/en-us/azure/connectors/connectors-native-http?tabs=standard#client-certificate-or-microsoft-entra-id-oauth-with-certificate-credential-type-authentication
Step 2:
Run following commands in sequential (you need to have OpenSSH installed and run with “Win64 OpenSSL Command Prompt”):
- openssl genrsa -out private-key.pem 3072
//generate a 3072-bit RSA private key and save it to a file named “private-key.pem”. - openssl rsa -in private-key.pem -pubout -out public-key.pem
//read an RSA private key from “private-key.pem”, extract the corresponding public key, and save the public key to a file named “public-key.pem”. - openssl req -new -x509 -key private-key.pem -out cert.pem -days 360
//generate a self-signed X.509 certificate using the private key stored in “private-key.pem”. The certificate will be valid for 360 days and will be saved to a file named “cert.pem”, which need to be upload on SPN. - openssl pkcs12 -export -inkey private-key.pem -in cert.pem -out key.pfx
//create a PKCS#12 file named “key.pfx”, which contains both the private key from “private-key.pem” and the certificate from “cert.pem”.
Why need a password?
- openssl pkcs12 -export -inkey private-key.pem -in cert.pem -out key.pfx
During this process, you will be prompted to set an export password to protect the PKCS#12 file. This password will be needed when importing the PKCS#12 file into other systems or software.
If no password, you may experience “cannot load private certificate exception”.
Demo:
Step 3:
Open PowerShell and run following command:
$pfx_cert = [System.IO.File]::ReadAllBytes('key.pfx')
[System.Convert]::ToBase64String($pfx_cert) | Out-File 'pfx-encoded-bytes.txt'
After the execution, you should be able to see a new file named “pfx-encoded-bytes.txt”.
Reference:
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal
Demo:
Step 4:
Upload the certificate into an AAD app registration.
Step 5:
- Copy the text file content (“pfx-encoded-bytes.txt”) as HTTP action certificate.
- Filling the password.
- We can test with any endpoints (eg: RequestBin) and we should be able to see the request comes in with bearer token.
Advantage:
It can combine Get token + Invoke endpoint.
Demo:
Create a HTTP action.
Test.
Thank you.
Microsoft