Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use openAuthenticationPolicies in accessControl for Logic Apps ARM template #61656

Closed
akdracarys opened this issue Aug 27, 2020 · 3 comments
Closed

Unable to use openAuthenticationPolicies in accessControl for Logic Apps ARM template #61656

akdracarys opened this issue Aug 27, 2020 · 3 comments
Assignees
@PramodValavala-MSFT
Labels
cxp doc-bug logic-apps/svc Pri3 triaged

Comments

@akdracarys
Copy link

akdracarys commented Aug 27, 2020
edited
Loading

Using ARM template unable to use the openAuthenticationPolicies for Logic App deployment

"accessControl": { "triggers": { "allowedCallerIpAddresses": [ { "addressRange": "10.0.24.36/32" }, { "addressRange": "10.0.104.44/32" } ], "openAuthenticationPolicies": { "policies": { "adfpolicy": { "type": "AAD", "claims": [ { "name": "Audience", "values": "https://management.core.windows.net/" } ] } } } }, "contents": { "allowedCallerIpAddresses": [ { "addressRange": "10.0.24.36/32" }, { "addressRange": "10.0.104.44/32" } ] } }

I get this error whenever the arm template is executed. If I remove the openAuthenticationPolicies block the template works fine.

I am also confused with about the values or value to be used in the claims block.

if "claims": [{ "name": "Audience", "values": "https://management.core.windows.net/"}]

Error waiting for deployment: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details." Details=[{"code":"BadRequest","message":"{\r\n \"error\" : {\r\n \"code\": \"InvalidRequestContent\",\r\n \"message\": \"The request content is not valid and could not be deserialized: 'Could not find member 'values' on object of type 'OpenAuthenticationPolicyClaim'. Path 'properties.accessControl.triggers.openAuthenticationPolicies.policies.adfpolicy.claims[0].values', line 1, position 434.'.\"\r\n }\r\n}"}]]

if "claims": [{ "name": "Audience", "value": "https://management.core.windows.net/"}]

Error waiting for deployment: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details." Details=[{"code":"BadRequest","message":"{\r\n \"error\" : {\r\n \"code\": \"OAuthIssuerClaimValue\",\r\n \"message\": \"OAuth authentication policy 'adfpolicy' in access control configuration of workflow is not valid. The required claim 'iss' is missing.\"\r\n }\r\n}"}]

Reference:

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@PRMerger8 PRMerger8 added the Pri3 label Aug 27, 2020
@HarithaMaddi-MSFT HarithaMaddi-MSFT self-assigned this Aug 28, 2020
@HarithaMaddi-MSFT
Copy link
Contributor

@akdracarys - Thanks for posting the question. We are currently investigating into the issue and will update you shortly.

@PramodValavala-MSFT
Copy link
Member

@akdracarys Thanks for catching that! Based on the REST API Spec, it is indeed value and not values. I have corrected my comment in the issue that you've linked and I've also raised a PR for the doc, which once merged should reflect in a couple of hours.

As for the error that you see even when using value, is stating that iss (Issuer in the portal) is a required claim. This mentioned in the table above the ARM Template snippet. I've also added a note specific for the ARM Template section.

@akdracarys
Copy link
Author

akdracarys commented Sep 2, 2020
edited
Loading

@PramodValavala-MSFT Thank you for clarifying. The issue is been resolved now.

       "accessControl": {
          "triggers": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.24.36/32"
              },
              {
                "addressRange": "10.0.104.44/32"
              }
            ],
            "openAuthenticationPolicies": {
                "policies": {
                  "adfpolicy": {
                    "type": "AAD",
                    "claims": [
                      {
                        "name": "iss",
                        "values": "https://sts.windows.net/"
                      },
                      {
                      "name": "aud",
                      "value": "https://management.core.windows.net/"
                      }
                    ]
                  }
                }
            }
          },
          "contents": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.24.36/32"
              },
              {
                "addressRange": "10.0.104.44/32"
              }
            ]
          }
        }

@akdracarys akdracarys mentioned this issue Sep 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PramodValavala-MSFT PramodValavala-MSFT

Labels
cxp doc-bug logic-apps/svc Pri3 triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PRMerger8 @PramodValavala-MSFT @akdracarys @HarithaMaddi-MSFT