Search code examples
postmanazure-logic-appssas-token

How to Pass SAS Token as Header in Azure Logic App HTTP Trigger?


I am working with an Azure Logic App that is triggered by an HTTP request. The current setup uses a Shared Access Signature (SAS) token in the query string to authenticate the requests. However, for security reasons, I want to pass the SAS token as a header instead of including it in the URL.

Here’s the current URL format that works when I include the sig parameter directly in the URL:

https://prod-24.southcentralus.logic.azure.com:443/workflows/15f36e380c354bd5bd9de2de40b19d54/triggers/When_a_HTTP_request_is_received/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2FWhen_a_HTTP_request_is_received%2Frun&sv=1.0&sig=ajC3bRqX8qYfFCEhjP5qT1fyMVlCBQHpreshrikual

I would like to modify this so that the SAS token (sig) is passed via a header instead of in the query string.

I tried adding the SAS token as a custom header in both Postman and curl, like this:

curl -X POST "https://prod-26.southcentralus.logic.azure.com:443/workflows/15f36e380c354bd5bd9ed834de40b19d54/triggers/When_a_HTTP_request_is_received/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2FWhen_a_HTTP_request_is_received%2Frun&sv=1.0" \
-H "x-sas-token: ajC3bRqX8qYfFCEhjP5qT1fyMVlCBQHpkMu1eelefqs" \
-H "Content-Type: application/json" \
-d '{}'

However, I receive the following error:

{
    "error": {
        "code": "DirectApiAuthorizationRequired",
        "message": "The request must be authenticated only by Shared Access scheme."
    }
}

My Questions:

Is it possible to pass the SAS token via the HTTP header for Logic Apps? If no, what alternative authorization methods can I use to secure my Logic App API without exposing the SAS token in the URL? Any help or guidance would be appreciated!


Solution

  • You can only pass the sas token in the request url while manually invoking Logic App's Http trigger.

    Alternatively, You can use Add Azure AD Authorization policies in logic app wherein you don't need to pass the sas token.

    I have referred this documentation to enable authorization in logic app. You need to pass issuer https://sts.windows.net/{tenant_id}/ and audience https://management.core.windows.net/.

    enter image description here

    Once done, generate the bearer token using the registered app's credentials.

    enter image description here

    You need to use the request url as https://prod-63.eastus2.logic.azure.com:443/workflows/fa****328d/triggers/When_a_HTTP_request_is_received/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2FWhen_a_HTTP_request_is_received%2Frun and then add the bearer token in the request header to get the expected response.

    enter image description here