I couldn’t get to doing this day-before when I first posted on authenticating to Logic Apps via Azure AD. So this post is a continuation of that.
Today I setup the Logic App to use an App Registration. This is very straighforward, and while not required I wanted a way to limit the Logic App to a group of users.
I created a new App Registration with the following settings:
- Authentication > Allow Public Flows
- API permissions > Delegated permissions for Graph
User.Readandprofile
This is based on the App Registration that got created when I did the same for Azure Functions, the difference being this one is manually created. I went with the profile scope so I get additional details in the ID Token like Object ID, Username (UPN), and Name but this is not needed if you don’t care for those.
Next I enabled Azure AD policies on the Logic App. I went with requiring the Issuer (this is mandatory) being https://login.microsoftonline.com/<tenantId>/v2.0 and Audience value being the app Id of the App Registration. This way only tokens intended for the App Registration will be accepted by the Logic App. In my previous post I mentioned https://sts.windows.net too but I decided to skip that the way I was going to get tokens now would be the v2 ones from login.microsoftonline.com.
After that it’s straight forward to invoke the Logic App via it’s web Uri. All I have to do is get a token and then pass it to the Url while calling it. I am using the Get-MSDeviceToken function I mentioned in the previous post so I invoke it thusly:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$tenantId = "===changeme===" $appId = "===changeme===" # I need 'profile' scope for oid # I need 'openid' scope to get the id_token else that is not returned $scope = "User.Read openid profile" $apiUrl = "https://===changeme===/triggers/manual/paths/invoke?api-version=2016-10-01" Write-Output "Authenticating with Azure AD to access $apiUrl." $aadtoken = Get-MSDeviceToken -TenantId $tenantId -AppId $appId -Scope $scope $header = @{ "Authorization" = "Bearer " + $aadtoken.id_token } Invoke-RestMethod -Method POST -Uri $apiUrl -Headers $header -ContentType 'application/json' |
Next up I wanted to get the user details. For that I resorted to getting the token from the headers:
Here’s the underlying code view. I had to switch to that to add an extra bit ?['Authorization'] so I extract that from the headers.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
"Initialize_variable_(Token)": { "inputs": { "variables": [ { "name": "Token", "type": "string", "value": "@{triggerOutputs()['headers']?['Authorization']}" } ] }, "runAfter": {}, "type": "InitializeVariable" } |
Next I split that along the dot – which gives an array of objects – and I extract the second item in the array (which is the body; first part is header, last part is signature). Here’s the code view for that:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
"Initialize_variable_(TokenBody)": { "inputs": { "variables": [ { "name": "TokenBody", "type": "string", "value": "@{split(variables('Token'),'.')[1]}" } ] }, "runAfter": { "Initialize_variable_(Token)": [ "Succeeded" ] }, "type": "InitializeVariable" } |
What we get here is a base64 string and the next step would be to decode it to a string. When I tried that, however, the Logic App would fail and I saw that it was failing at this decode stage. I had experienced something similar with PowerShell and base64 decoding earlier so I knew just the fix for that. If were PowerShell I’d have done something like this:
|
1 2 3 4 5 6 7 8 |
switch ($base64String.Length % 4) { 0 { break } 1 { $base64String += '===' } 2 { $base64String += '==' } 3 { $base64String += '=' } } [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($base64String)) |
The problem is that in base64 every 4 characters are typically converted to 3 bytes. So an entire base64 string must have a length that is a multiple of 4 (though there are some bugs due to which this may not always be the case). What the snippet above thus does is divide the length by 4 to get the remainder. If the remainder is 1 (e.g. the length is 29) that means we need to add 3 characters to get the length divisible by 4 (i.e. make it 32 in this example). And so on for remainders of 2 and 3.
I have to thus do the same in the Logic App to correctly decode the header token. I put the whole thing in a Scope control to keep it neat and tidy:
The orange bit above is the Scope control. Here is its code:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
"Decode_Token_Info_just_in_case": { "actions": { "Add_padding_to_TokenBody_if_needed": { "cases": { "Case_1": { "actions": { "Set_variable_(FixedTokenBody)_add_3": { "inputs": { "name": "FixedTokenBody", "value": "@{variables('TokenBody')}===" }, "runAfter": {}, "type": "SetVariable" } }, "case": 1 }, "Case_2": { "actions": { "Set_variable_(FixedTokenBody)_add_2": { "inputs": { "name": "FixedTokenBody", "value": "@{variables('TokenBody')}==" }, "runAfter": {}, "type": "SetVariable" } }, "case": 2 }, "Case_3": { "actions": { "Set_variable_(FixedTokenBody)_add_1": { "inputs": { "name": "FixedTokenBody", "value": "@{variables('TokenBody')}=" }, "runAfter": {}, "type": "SetVariable" } }, "case": 3 } }, "default": { "actions": { "Set_variable_(FixedTokenBody)_add_nothing": { "inputs": { "name": "FixedTokenBody", "value": "@variables('TokenBody')" }, "runAfter": {}, "type": "SetVariable" } } }, "expression": "@mod(length(variables('TokenBody')),4)", "runAfter": {}, "type": "Switch" }, "Parse_JSON": { "inputs": { "content": "@decodeBase64(variables('FixedTokenBody'))", "schema": { "properties": { "aio": { "type": "string" }, "aud": { "type": "string" }, "exp": { "type": "integer" }, "iat": { "type": "integer" }, "iss": { "type": "string" }, "name": { "type": "string" }, "nbf": { "type": "integer" }, "oid": { "type": "string" }, "preferred_username": { "type": "string" }, "rh": { "type": "string" }, "sub": { "type": "string" }, "tid": { "type": "string" }, "uti": { "type": "string" }, "ver": { "type": "string" } }, "type": "object" } }, "runAfter": { "Add_padding_to_TokenBody_if_needed": [ "Succeeded" ] }, "type": "ParseJson" }, "Set_variable_(RequestorEmail)": { "inputs": { "name": "RequestorEmail", "value": "@body('Parse_JSON')?['preferred_username']" }, "runAfter": { "Parse_JSON": [ "Succeeded" ] }, "type": "SetVariable" }, "Set_variable_(RequestorName)": { "inputs": { "name": "RequestorName", "value": "@body('Parse_JSON')?['name']" }, "runAfter": { "Parse_JSON": [ "Succeeded" ] }, "type": "SetVariable" }, "Set_variable_(RequestorOID)": { "inputs": { "name": "RequestorOID", "value": "@body('Parse_JSON')?['oid']" }, "runAfter": { "Parse_JSON": [ "Succeeded" ] }, "type": "SetVariable" } }, "runAfter": { "Initialize_variable_(RequestorEmail)": [ "Succeeded" ] }, "type": "Scope" }, |
This is probably of no use to anyone else but I spent some time creating this so I figure why not put it on the Interwebs. :) You can’t assign a variable to itself, that’s why I have two set of variables TokenBody and FixedTokenBody with the latter being the one I add padding to if needed. After fixing I decode the base64 and then parse the JSON. The Parse JSON action has this as the input: @decodeBase64(variables('FixedTokenBody')).