Reputation: 319
Azure Logic App HTTP Request Authentication Scope
We have an API hosted in Azure as an Azure Web App that we need to trigger via http on a schedule.
Our API requires a valid Azure AD Access Token be sent with each request.
Azure Logic Apps gives us the option to authenticate our request with Azure AD. However, we do not see the option of including scope in the request. If we send a request without specified scope or role, we get the following error:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
How can we authenticate an http request from an Azure Logic App when scope/role is required in the access token by the API?
Upvotes: 1
Views: 7587
Answers (3)
Reputation: 5183
Azure Logic App (standard) http connectors do not support OAuth2 so the only way to get a token using the "scope" parameter would be firt to make an HTTP request to the /token endpoint and then use the obtained token to make the call to your protected API.
This is the overall flow:
This is how I make the authenticated call using the token:
You can read more here: https://learn.microsoft.com/en-us/answers/questions/1178938/how-to-use-oauth-2-0-authorization-in-logic-apps-h
Upvotes: 0
Reputation: 319
Thanks to @Skin for the suggestion!
Here is what worked for future visitors to this question:
Navigate to your Logic App in the Azure Portal > Select "Logic App Code View" > Add the following to "authentication":
- audience: "api://<your api's clientId>"
- clientId: "<your logic app's clientId>"
- scope: "api://<your api's clientId>/.default" (this piece is not available in the interface)
- secret: "the secret you generated for your logic app in your aad app registration"
- tenant: "your tenant id"
Upvotes: 1
Reputation: 321
Parameter "Audience" is the scope. Depending on how you built your target api and what is expected there as audience in token you could probably have there somehting like: api://<yoru_app_id>/.default, but you should know it best. E.g. when you call Graph MS your scope/resource/audience here is: https://graph.microsoft.com/.default, but different APIs have different needs for scopes.
Upvotes: -1
Related Questions
- How to add the basic authentication to the HTTP triggered Azure Logic App
- How to authenticate when calling Azure Logic App?
- Azure Logic App authenticate with WebApp using MSI
- Oauth Authentication in Logic Apps
- Logic App calling WebAPI with managed identity what kind of token is added to request
- Azure Logic Apps HTTP Unauthorized
- azure logic app & http step response
- How to secure Azure Logic App http request endpoint
- Azure Logic App Request Trigger authorization
- how to set headers or authentication in azure logic app http action