Secure Logic App with API Management using OAuth 2.0

Overview:

The article gives you an overview of how to secure HTTP based Logic app using Azure API management O-Auth 2.0.

Requirement :

1. Azure Subscription

2. POSTMan

Create HTTP Trigger Based Logic App

Create API Management Instance

Add New API in APIM

Add Operation to API

Set Backend of API operation as Azure Resource (Logic App)

You can verify that api is working without security.

Create New API for Login

Add Operation to get Token

Now Secure Logic App API using O Auth 2.0 Azure Active Directory.

Create Two application in Azure Active Directory for API client and API

Create Application for Logic APP API Client

Create Application for Logic APP API

Expose Scope from Logic App API

This Scope needs to be created manually by editing manifest file

"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Apps that have this role have the ability to invoke my API",
"displayName": "Can invoke my API",
"id": "9575c6e3-7339-4ad6-ad0e-01e5b89326a9",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "myTestRole"
}
],

Give permission of this Scope into Logic App API Client

Add Client Secret to Logic App API Client Application

Add Policy at API operation to Validate JWT Token

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{Tenant ID}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="any">
<value>api://{ Application Id of Logic App API }</value>
<value>{Application Id of Logic App API}</value>
</claim>
</required-claims>
</validate-jwt>

Make Sure to remove authorization header while calling Azure Logic App

<set-header id=”apim-generated-policy” name=”Authorization” exists-action=”delete” />

Verify API from browser

Test using PostMan