Microsoftarjunchiddarwar
I understand why it's necessary. My point is that I was under the assumption that we turn on utilizing something like Managed Identity, so that if the signature URL ever leaks, it doesn't allow unauthorized access. With how Microsoft have done EasyAuth for Logic Apps, it doesn't increase protection at all because if someone just simply doesn't use a bearer token (Or even has an invalid token), as long as they have the signature they can still call the app.
So, the real question is. Why use EasyAuth at all? What does it give you when an attacker can just bypass it completely using the signature? The only possible benefit is that requests across the wire don't need to carry the signature now. But I think the chance of intercepting a request like this between two applications is relatively slim.
