Monday, January 13, 2020

Calling Active Directory Secured Function App from Logic Apps

Introduction

In last post we saw how to secure a Function App with Active directory and how to make call to it from another function App.

And for doing it from function we used libraries provided by Microsoft i.e., Microsoft.IdentityModel.Clients.ActiveDirectory;

So how do we do this in logic app? How do we add the above library to logic app and where do we write code? – No code required as Logic app already supports Active Directory OAuth out of box . We just need to provide the  following info

Tenant ID(Directory ID) -- It is the authority which grants the token
AudienceID - For whom the token will be created i.e.Target AD App's client ID
Client ID and Client Secret - It is caller AD app's details, this proves client identity

Thus other steps remains same, in order to call AD secured app you(client/calling app) need to get access token from AD and for doing that you need to prove your identity with AD. And to create identity we need to register an App with AD. And then you use this identity to request access token.


How to do it


So first we need to get access token, and to request token we need

1. Register an Application with Active directory (Caller AD App)


caller AD app

As this app will be used to get token, we need to make note of application(client) ID and also need to create a secret
create client secret


 Remember to copy and save the secret as it won't be visible later
client secret

2. Create Logic App

Create a simple http triggered logic app which will get triggered upon receiving http request and then calls the secured function app and sends back response . In response it will add whatever received from secured function app.

logic app to call secured function app

In second step note that we are using HTTP action rather than using Azure Functions action and it is because Azure Functions action does not support adding authentication details, whereas Http action is flexible with it.
select Active Directory OAuth

After adding http action, Select POST as method and provide the url of secured function app. In Authentication select Active Directory OAuth and provide the other details as shown below 

Here I personally think, having an application settings for logic Apps would be good to have feature. However we can use Key Vault here to store the info and fetch values at runtime but for the sake of post, have done it here itself.
oauth config

Now add http response action and against body - select the body returned from above step



That's it logic app is ready to use.


Testing


The target function expects input in following form 

{"name":"Input"}

and it returns result as "Reply from target app,+input it received"


Testing request
Use any rest client and make call to logic app and pass on input in expected format as above and below is the result
Testing result


How it works


When calling from function app we had to explicitly call the endpoint (https://login.microsoftonline.com/) alongwith the details like TenantId, AudienceID, ClienID and Secret using the provided library, however in case of logic app you just need to configure the details and rest is taken care by http connector. 




No comments:

Post a Comment