| title | description | services | ms.suite | ms.reviewer | ms.topic | ms.date |
|---|---|---|---|---|---|---|
Add authentication for securing calls to custom APIs |
How to set up authentication to improve security for calls to custom APIs from Azure Logic Apps |
logic-apps |
integration |
klam, logicappspm |
article |
09/22/2017 |
To improve security for calls to your APIs, you can set up Azure Active Directory (Azure AD) authentication through the Azure portal so you don't have to update your code. Or, you can require and enforce authentication through your API's code.
You can improve security for calls to your custom API in these ways:
-
No code changes: Protect your API with Azure Active Directory (Azure AD) through the Azure portal, so you don't have to update your code or redeploy your API.
[!NOTE] By default, the Azure AD authentication that you turn on in the Azure portal doesn't provide fine-grained authorization. For example, this authentication locks your API to just a specific tenant, not to a specific user or app.
-
Update your API's code: Protect your API by enforcing certificate authentication, basic authentication, or Azure AD authentication through code.
Here are the general steps for this method:
-
Create two Azure Active Directory (Azure AD) application identities: one for your logic app and one for your web app (or API app).
-
To authenticate calls to your API, use the credentials (client ID and secret) for the service principal that's associated with the Azure AD application identity for your logic app.
-
Include the application IDs in your logic app definition.
Your logic app uses this Azure AD application identity to authenticate against Azure AD. You only have to set up this identity one time for your directory. For example, you can choose to use the same identity for all your logic apps, even though you can create unique identities for each logic app. You can set up these identities in the Azure portal or use PowerShell.
Create the application identity for your logic app in the Azure portal
-
In the Azure portal, choose Azure Active Directory.
-
Confirm that you're in the same directory as your web app or API app.
[!TIP] To switch directories, choose your profile and select another directory. Or, choose Overview > Switch directory.
-
On the directory menu, under Manage, choose App registrations > New application registration.
[!TIP] By default, the app registrations list shows all app registrations in your directory. To view only your app registrations, next to the search box, select My apps.
-
Give your application identity a name, leave Application type set to Web app / API, provide a unique string formatted as a domain for Sign-on URL, and choose Create.
The application identity that you created for your logic app now appears in the app registrations list.
-
In the app registrations list, select your new application identity. Copy and save the Application ID to use as the "client ID" for your logic app in Part 3.
-
If your application identity settings aren't visible, choose Settings or All settings.
-
Under API Access, choose Keys. Under Description, provide a name for your key. Under Expires, select a duration for your key.
The key that you're creating acts as the application identity's "secret" or password for your logic app.
-
On the toolbar, choose Save. Under Value, your key now appears. Make sure to copy and save your key for later use because the key is hidden when you leave the Keys page.
When you configure your logic app in Part 3, you specify this key as the "secret" or password.
Create the application identity for your logic app in PowerShell
[!INCLUDE updated-for-az]
You can perform this task through Azure Resource Manager with PowerShell. In PowerShell, run these commands:
-
Add-AzAccount -
$SecurePassword = Read-Host -AsSecureString -
Enter a password and press Enter.
-
New-AzADApplication -DisplayName "MyLogicAppID" -HomePage "http://mydomain.tld" -IdentifierUris "http://mydomain.tld" -Password $SecurePassword -
Make sure to copy the Tenant ID (GUID for your Azure AD tenant), the Application ID, and the password that you used.
For more information, learn how to create a service principal with PowerShell to access resources.
If your web app or API app is already deployed, you can turn on authentication and create the application identity in the Azure portal. Otherwise, you can turn on authentication when you deploy with an Azure Resource Manager template.
Create the application identity and turn on authentication in the Azure portal for deployed apps
-
In the Azure portal, find and select your web app or API app.
-
Under Settings, choose Authentication/Authorization. Under App Service Authentication, turn authentication On. Under Authentication Providers, choose Azure Active Directory.
-
Now create an application identity for your web app or API app as shown here. On the Azure Active Directory Settings page, set Management mode to Express. Choose Create New AD App. Give your application identity a name, and choose OK.
-
On the Authentication / Authorization page, choose Save.
Now you must find the client ID and tenant ID for the application identity that's associated with your web app or API app. You use these IDs in Part 3. So continue with these steps for the Azure portal.
Find application identity's client ID and tenant ID for your web app or API app in the Azure portal
-
Under Authentication Providers, choose Azure Active Directory.
-
On the Azure Active Directory Settings page, set Management mode to Advanced.
-
Copy the Client ID, and save that GUID for use in Part 3.
[!TIP] If Client ID and Issuer Url don't appear, try refreshing the Azure portal, and repeat Step 1.
-
Under Issuer Url, copy and save just the GUID for Part 3. You can also use this GUID in your web app or API app's deployment template, if necessary.
This GUID is your specific tenant's GUID ("tenant ID") and should appear in this URL:
https://sts.windows.net/{GUID} -
Without saving your changes, close the Azure Active Directory Settings page.
Turn on authentication when you deploy with an Azure Resource Manager template
You still need to create an Azure AD application identity for your web app or API app that differs from the app identity for your logic app. To create the application identity, follow the previous steps in Part 2 for the Azure portal.
You can also follow the steps in Part 1, but make sure to use your web app
or API app's actual https://{URL} for Sign-on URL and App ID URI.
From these steps, you have to save both the client ID and tenant ID for use
in your app's deployment template and also for Part 3.
Note
When you create the Azure AD application identity for your web app or API app, you must use the Azure portal, not PowerShell. The PowerShell commandlet doesn't set up the required permissions to sign users into a website.
After you get the client ID and tenant ID, include these IDs as a subresource of your web app or API app in your deployment template:
"resources": [
{
"apiVersion": "2015-08-01",
"name": "web",
"type": "config",
"dependsOn": ["[concat('Microsoft.Web/sites/','parameters('webAppName'))]"],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"clientId": "<client-ID>",
"issuer": "https://sts.windows.net/<tenant-ID>/"
}
}
}
]To automatically deploy a blank web app and a logic app together with Azure Active Directory authentication, view the complete template here, or click Deploy to Azure here:
The previous template already has this authorization section set up, but if you are directly authoring the logic app, you must include the full authorization section.
Open your logic app definition in code view, go to the HTTP action definition, find the Authorization section, and include these properties:
{
"tenant": "<tenant-ID>",
"audience": "<client-ID-from-Part-2-web-app-or-API app>",
"clientId": "<client-ID-from-Part-1-logic-app>",
"secret": "<key-from-Part-1-logic-app>",
"type": "ActiveDirectoryOAuth"
}| Property | Required | Description |
|---|---|---|
| tenant | Yes | The GUID for the Azure AD tenant |
| audience | Yes | The GUID for the target resource that you want to access, which is the client ID from the application identity for your web app or API app |
| clientId | Yes | The GUID for the client requesting access, which is the client ID from the application identity for your logic app |
| secret | Yes | The key or password from the application identity for the client that's requesting the access token |
| type | Yes | The authentication type. For ActiveDirectoryOAuth authentication, the value is ActiveDirectoryOAuth. |
For example:
{
"actions": {
"HTTP": {
"inputs": {
"method": "POST",
"uri": "https://your-api-azurewebsites.net/api/your-method",
"authentication": {
"tenant": "tenant-ID",
"audience": "client-ID-from-azure-ad-app-for-web-app-or-api-app",
"clientId": "client-ID-from-azure-ad-app-for-logic-app",
"secret": "key-from-azure-ad-app-for-logic-app",
"type": "ActiveDirectoryOAuth"
}
}
}
}
}To validate the incoming requests from your logic app to your web app or API app, you can use client certificates. To set up your code, learn how to configure TLS mutual authentication.
In the Authorization section, include these properties:
{
"type": "ClientCertificate",
"password": "<password>",
"pfx": "<long-pfx-key>"
} | Property | Required | Description |
|---|---|---|
type |
Yes | The authentication type. For TLS/SSL client certificates, the value must be ClientCertificate. |
password |
No | The password for accessing the client certificate (PFX file) |
pfx |
Yes | The base64-encoded contents of the client certificate (PFX file) |
To validate incoming requests from your logic app to your web app or API app, you can use basic authentication, such as a username and password. Basic authentication is a common pattern, and you can use this authentication in any language used to build your web app or API app.
In the Authorization section, include these properties:
{
"type": "Basic",
"username": "<username>",
"password": "<password>"
}| Property | Required | Description |
|---|---|---|
| type | Yes | The authentication type that you want to use. For basic authentication, the value must be Basic. |
| username | Yes | The username that you want to use for authentication |
| password | Yes | The password that you want to use for authentication |
By default, the Azure AD authentication that you turn on in the Azure portal doesn't provide fine-grained authorization. For example, this authentication locks your API to just a specific tenant, not to a specific user or app.
To restrict API access to your logic app through code, extract the header that has the JSON web token (JWT). Check the caller's identity, and reject requests that don't match.