BryceBy
BryceBy

Reputation: 319

Azure Logic App HTTP Request Authentication Scope

We have an API hosted in Azure as an Azure Web App that we need to trigger via http on a schedule.

Our API requires a valid Azure AD Access Token be sent with each request.

Azure Logic Apps gives us the option to authenticate our request with Azure AD. However, we do not see the option of including scope in the request. If we send a request without specified scope or role, we get the following error:

System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.

enter image description here

How can we authenticate an http request from an Azure Logic App when scope/role is required in the access token by the API?

Upvotes: 1

Views: 7587

Answers (3)

Francesco
Francesco

Reputation: 5183

Azure Logic App (standard) http connectors do not support OAuth2 so the only way to get a token using the "scope" parameter would be firt to make an HTTP request to the /token endpoint and then use the obtained token to make the call to your protected API.

This is the overall flow:

example1

This is how I make the authenticated call using the token:

example2

You can read more here: https://learn.microsoft.com/en-us/answers/questions/1178938/how-to-use-oauth-2-0-authorization-in-logic-apps-h

Upvotes: 0

BryceBy
BryceBy

Reputation: 319

Thanks to @Skin for the suggestion!

Here is what worked for future visitors to this question:

Navigate to your Logic App in the Azure Portal > Select "Logic App Code View" > Add the following to "authentication":

enter image description here

  • audience: "api://<your api's clientId>"
  • clientId: "<your logic app's clientId>"
  • scope: "api://<your api's clientId>/.default" (this piece is not available in the interface)
  • secret: "the secret you generated for your logic app in your aad app registration"
  • tenant: "your tenant id"

Upvotes: 1

maras2002
maras2002

Reputation: 321

Parameter "Audience" is the scope. Depending on how you built your target api and what is expected there as audience in token you could probably have there somehting like: api://<yoru_app_id>/.default, but you should know it best. E.g. when you call Graph MS your scope/resource/audience here is: https://graph.microsoft.com/.default, but different APIs have different needs for scopes.

Upvotes: -1

Related Questions