Secure Logic App HTTP endpoint with Azure AD integration

Published Jun 09 2020 08:32 AM 4,854 Views
Senior Member

Overview: 

We have several ways to secure the Logic App endpoints like restricting inbound IP addresses, using SAS keys and API management instance. API management allows us to secure endpoints with various authentication modes such as client certificates, Oauth and basic credentials authentication.

 

We can  also authorize Logic App HTTP endpoints using Oauth token with the new feature in Logic App "Authorization".You can follow the steps below for implementing this.

 

Implementation:

  • We have to create an App Registration (Service Principal) in Azure Active Directory . Go to Azure AD and Click on App registrations to add new registration.

0 (1).png

  • Open created App registration, Select certificates and secrets and add new secret. Copy the client secret value as it won't be visible later on.
  • Collect App registration details from overview page i.e. Client Id, Tenant Id. Which we will be using later to generate Oauth token to access Logic App endpoint.

0 (2).png

  • Now, we can configure any existing or new Logic App which has HTTP trigger endpoint to authenticate with OAuth tokens.
  • Go to Logic App --> Authorization and add new Policy and claims to authenticate with Oauth tokens as in screenshot below.

Issuer: https://sts.windows.net/{{TenantId}}/

Audience: https://management.azure.com

0.jfif

  • Now, Logic App endpoint supports with Oauth authentication. Now ,generate the Oauth token using App registration details and trigger Logic App with the Oauth token.

REST API to generate OAuth tokens:

URL: https://login.microsoftonline.com/{{tenantId}}/oauth2/token

Verb: POST

Parameters:

Client_Secret: client secret collected in App registration

grant_type: client_credentials

client_id : Application Id of App registration

resource: https://management.azure.com

0 (1).jfif

Trigger LogicApp HTTP endpoint with OAuth token:

  • Go to LogicApp and get the HTTP endpoint URL and remove SAS key from URL.

Example: https://prod-17.centralindia.logic.azure.com:443/workflows/d04bc34e3fdd403091de956ed28c48cd/triggers...&sig=Bq9fGp3wZ0Q7mDTdozBtvlljpXBIrGevi394_19RuHY

 

Modified : https://prod-17.centralindia.logic.azure.com:443/workflows/d04bc34e3fdd403091de956ed28c48cd/triggers...

  • Now we can call the endpoint above with OAuth token (Bearer key ) collected above as in screenshot below.

0 (3).png

References:

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-triggers

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#enable-azure-activ...

 

5 Comments
Occasional Visitor

I already have a Logic App Dev integration App registered and I am using that to generate access token by passing the required details mentioned. But when I pass that token to trigger logic app It is throwing me error -

{
    "error": {
        "code""MisMatchingOAuthClaims",
        "message""One or more claims either missing or does not match with the open authentication access control policy."
    }
}
 
I am not sure what I am doing is wrong. I have added audience and issuer. 
 
There is a slight catch here - We created this APP for fetching the token only and the token is also used by some other custom API by passing different resource. I am not sure if this is the problem. Or should I have to create a new APP just for this. If yes, then why I can't use this by passing different resource as mentioned here. I am new to azure so probably lill aware of deep understanding that goes around here. 
Senior Member

Hi @spnelli ,

 

Could you check the generated OAuth token from SPN is matching with the Claims policies set on Logic App Authorization blade.

 

You can decode the bearer token fetched using JSON Web Tokens - jwt.io to verify the claims.

 

Most common mistake would be adding the / at the end of the issuer claim after tenant id as highlighted below. Could you check it as well please.

 

Issuer: https://sts.windows.net/{{TenantId}}/

Occasional Visitor

Hi @VeeraReddy 

 

Yes, your reply solved my query. That was the only problem. Thank you so much.

 

But I moved to MSI approach of authenticating. I imported the logic app as APIM and updated the policies. You can refer here  - 

https://securecloud.blog/2021/02/09/deep-diver-hardening-authentication-and-authorization-between-lo...

 

I have followed steps here. But the problem is I couldn't get the logic app run after adding 

"@startsWith(triggerOutputs()?['headers']?['Authorization'], 'Bearer' )" it is throwing below error.

 

{ "error":

{ "code": "InvalidTemplate",

"message": "The template language expression evaluation failed: 'The template language function 'startsWith' expects its first parameter to be of type string. The provided value is of type 'Null'. Please see https://aka.ms/logicexpressions#startswith for usage details.'." } }

 

Do you have any idea here  ? What can be the case ? What I am doing is wrong ?

There is so many ways I suppose to authenticate Logic app. 

 

Occasional Visitor

Hello VeeraReddy.

Thanks for the tutorial. 

I'm missing a step here. During the App Registration what do i have to insert in the Redirect URI field? Is it always mandatory to insert it?

 

Thanks

Gianni

Senior Member

Hi @GianniStillavato ,

 

you can leave it default while creating the app registration in AD.

%3CLINGO-SUB%20id%3D%22lingo-sub-1450690%22%20slang%3D%22en-US%22%3ESecure%20Logic%20App%20HTTP%20endpoint%20with%20Azure%20AD%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EOverview%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20have%20several%20ways%20to%20secure%20the%20Logic%20App%20endpoints%20like%20restricting%20inbound%20IP%20addresses%2C%20using%20SAS%20keys%20and%20API%20management%20instance.%20API%20management%20allows%20us%20to%20secure%20endpoints%20with%20various%20authentication%20modes%20such%20as%20client%20certificates%2C%20Oauth%20and%20basic%20credentials%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%26nbsp%3B%20also%20authorize%20Logic%20App%20HTTP%20endpoints%20using%20Oauth%20token%20with%20the%20new%20feature%20in%20Logic%20App%20%22%3CSTRONG%3EAuthorization%22%3C%2FSTRONG%3E.You%20can%20follow%20the%20steps%20below%20for%20implementing%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImplementation%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWe%20have%20to%20create%20an%20App%20Registration%3CSTRONG%3E%20(Service%20Principal)%3C%2FSTRONG%3E%20in%20Azure%20Active%20Directory%20.%20Go%20to%20Azure%20AD%20and%20Click%20on%20App%20registrations%20to%20add%20new%20registration.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%20class%3D%22slate-resizable-image-embed%20slate-image-embed__resize-full-width%22%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%220%20(1).png%22%20style%3D%22width%3A%20709px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197518iA0D58CE6A98FE524%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%220%20(1).png%22%20alt%3D%220%20(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20created%20App%20registration%2C%20Select%20certificates%20and%20secrets%20and%20add%20new%20secret.%20Copy%20the%20client%20secret%20value%20as%20it%20won't%20be%20visible%20later%20on.%3C%2FLI%3E%0A%3CLI%3ECollect%20App%20registration%20details%20from%20overview%20page%20i.e.%20Client%20Id%2C%20Tenant%20Id.%20Which%20we%20will%20be%20using%20later%20to%20generate%20Oauth%20token%20to%20access%20Logic%20App%20endpoint.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%20class%3D%22slate-resizable-image-embed%20slate-image-embed__resize-full-width%22%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%220%20(2).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197519iC875ACF03D773CA2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%220%20(2).png%22%20alt%3D%220%20(2).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ENow%2C%20we%20can%20configure%20any%20existing%20or%20new%20Logic%20App%20which%20has%20HTTP%20trigger%20endpoint%20to%20authenticate%20with%20OAuth%20tokens.%3C%2FLI%3E%0A%3CLI%3EGo%20to%20Logic%20App%20--%26gt%3B%20Authorization%20and%20add%20new%20Policy%20and%20claims%20to%20authenticate%20with%20Oauth%20tokens%20as%20in%20screenshot%20below.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EIssuer%3C%2FSTRONG%3E%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fsts.windows.net%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsts.windows.net%2F%3C%2FA%3E%3CSTRONG%3E%3CEM%3E%7B%7BTenantId%7D%7D%2F%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAudience%3C%2FSTRONG%3E%3A%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%20class%3D%22slate-resizable-image-embed%20slate-image-embed__resize-full-width%22%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%220.jfif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197520i92FE76FBA616B6DC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%220.jfif%22%20alt%3D%220.jfif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ENow%2C%20Logic%20App%20endpoint%20supports%20with%20Oauth%20authentication.%20Now%20%2Cgenerate%20the%20Oauth%20token%20using%20App%20registration%20details%20and%20trigger%20Logic%20App%20with%20the%20Oauth%20token.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-1172060658%22%20id%3D%22toc-hId-1172060658%22%3EREST%20API%20to%20generate%20OAuth%20tokens%3A%3C%2FH3%3E%0A%3CP%3E%3CSTRONG%3EURL%3C%2FSTRONG%3E%3A%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%7B%7BtenantId%7D%7D%2Foauth2%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%7B%7BtenantId%7D%7D%2Foauth2%2Ftoken%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EVerb%3C%2FSTRONG%3E%3A%20POST%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EParameters%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EClient_Secret%3C%2FSTRONG%3E%3A%20client%20secret%20collected%20in%20App%20registration%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Egrant_type%3C%2FSTRONG%3E%3A%20client_credentials%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Eclient_id%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3A%20Application%20Id%20of%20App%20registration%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Eresource%3C%2FSTRONG%3E%3A%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%20class%3D%22slate-resizable-image-embed%20slate-image-embed__resize-full-width%22%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%220%20(1).jfif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197521i896B394CFEB6AF0A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%220%20(1).jfif%22%20alt%3D%220%20(1).jfif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--635393805%22%20id%3D%22toc-hId--635393805%22%3ETrigger%20LogicApp%20HTTP%20endpoint%20with%20OAuth%20token%3A%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3EGo%20to%20LogicApp%20and%20get%20the%20HTTP%20endpoint%20URL%20and%20remove%20SAS%20key%20from%20URL.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EExample%3C%2FSTRONG%3E%3A%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fprod-17.centralindia.logic.azure.com%3A443%2Fworkflows%2Fd04bc34e3fdd403091de956ed28c48cd%2Ftriggers%2Fmanual%2Fpaths%2Finvoke%3Fapi-version%3D2016-10-01%26amp%3Bsp%3D%252Ftriggers%252Fmanual%252Frun%26amp%3Bsv%3D1.0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprod-17.centralindia.logic.azure.com%3A443%2Fworkflows%2Fd04bc34e3fdd403091de956ed28c48cd%2Ftriggers%2Fmanual%2Fpaths%2Finvoke%3Fapi-version%3D2016-10-01%26amp%3Bsp%3D%252Ftriggers%252Fmanual%252Frun%26amp%3Bsv%3D1.0%3C%2FA%3E%3CSTRONG%3E%3CEM%3E%26amp%3Bsig%3DBq9fGp3wZ0Q7mDTdozBtvlljpXBIrGevi394_19RuHY%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EModified%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3A%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fprod-17.centralindia.logic.azure.com%3A443%2Fworkflows%2Fd04bc34e3fdd403091de956ed28c48cd%2Ftriggers%2Fmanual%2Fpaths%2Finvoke%3Fapi-version%3D2016-10-01%26amp%3Bsp%3D%252Ftriggers%252Fmanual%252Frun%26amp%3Bsv%3D1.0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprod-17.centralindia.logic.azure.com%3A443%2Fworkflows%2Fd04bc34e3fdd403091de956ed28c48cd%2Ftriggers%2Fmanual%2Fpaths%2Finvoke%3Fapi-version%3D2016-10-01%26amp%3Bsp%3D%252Ftriggers%252Fmanual%252Frun%26amp%3Bsv%3D1.0%3C%2FA%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENow%20we%20can%20call%20the%20endpoint%20above%20with%20OAuth%20token%20(Bearer%20key%20)%20collected%20above%20as%20in%20screenshot%20below.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%20class%3D%22slate-resizable-image-embed%20slate-image-embed__resize-full-width%22%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%220%20(3).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197523iE15EEFD780E5797A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%220%20(3).png%22%20alt%3D%220%20(3).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EReferences%3C%2FU%3E%3C%2FSTRONG%3E%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-securing-a-logic-app%23secure-triggers%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-securing-a-logic-app%23enable-azure-active-directory-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-securing-a-logic-app%23enable-azure-active-directory-oauth%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1450690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22introducingazurelogicapps_960.jpg%22%20style%3D%22width%3A%20960px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197532iA2826775D0BF7424%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22introducingazurelogicapps_960.jpg%22%20alt%3D%22introducingazurelogicapps_960.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESecure%20HTTP%20endpoint%20with%20Oauth%20token%20using%20Azure%20AD%20service%20Principal.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1450690%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELogic%20App%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELogicApps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOAuth%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESAS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eservice%20principal%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jun 09 2020 08:32 AM
Updated by: