Search code examples
c#asp.net-web-api2azure-active-directoryazure-api-appsazure-logic-apps

Azure - Secure API App so only accessible to Logic Apps and Web Apps

I have an API App I've deployed to Azure but want it secured so it's only available to Logic Apps and Web Apps in the same Resource Group.

The Swagger interface added via Swashbuckle has an api_key parameter I'm assuming I can perhaps leverage some way.

Any suggestions on how I can achieve this security in a way compatible with Azure apps?

Azure AD

I suspect I should be able to achieve this using Azure AD?

I created an Azure AD Application then in the API App under Authentication / Authorization I enabled Azure Active Directory (Express) and selected the Azure AD Application I'd just created.

Now when I try to access the API App from the Logic App I get the following error:

Failed to fetch swagger. Ensure you have CORS enabled on the endpoint and are calling an HTTPS endpoint.

(Before enabling Azure Active Directory I wouldn't get this error, I'd see my list of endpoints instead.)

My next thought was to edit the manifest file for the Azure AD Application. I spotted this in the manifest

"knownClientApplications": []

so I tried adding my Logic App application name like so

"knownClientApplications": [ "my-logic-app-name" ]

but this was rejected as it expects a guid instead of a string. Unfortunately I can't seem to locate a guid id for my Logic App.

Solution

  • I found the Azure documentation on how to achieve this:

    https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-custom-hosted-api/

    A little bit of a process involved which included editing the Logic App json code directly to add in the authentication elements e.g.

    {
    ...
    "actions": {
        "SomeAction": {
            "conditions": [],
            "inputs": {
                "method": "post",
                "uri": "https://your-api.azurewebsites.net/api/YourMethod",
                "authentication": {
                    "tenant": "the-guid-for-your-tenant",
                    "audience": "the-guid-for-apiapp-azure-ad-application",
                    "clientId": "the-guid-for-logicapp-azure-ad-application",
                    "secret": "the-secret-for-logicapp-azure-ad-application",
                    "type": "ActiveDirectoryOAuth"
                }
            },
            ...

    The next issue I hit was with long running API calls causing the Logic App to fail. Luckily I found this informative blog post by Jeff Hollan which explained how to get around the issue:

    https://blogs.msdn.microsoft.com/logicapps/2016/02/15/long-running-tasks-in-logic-apps/

    with supporting code example which I adapted to my requirements:

    https://github.com/jeffhollan/LogicAppsAsyncResponseSample