Thursday, February 13, 2020

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

While doing testing after doing a POC on Securing Logic App with Azure Active Directory authentication, where I have put logic app behind APIM and before passing the request to logic app, apim does validation of the token.

 I was encountered with an error

"The request has both SAS authentication scheme and 'Bearer' authorization
 scheme. Only one scheme should be used."

Why it happened

After validating the token which is part of the header i.e. Authorization, APIM forwards the request as it is to backend. As  Logic app is configured as back end, it's url already consist of SAS signature plus the request also has Authorization section and this is the problem.

By default every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format:


As of now logic App only understands SAS authentication only, and there is no mechanism built yet for Authorization, thus it does not support any Authorization scheme.

Although the error says
Only one scheme should be used -- It will not work if I remove SAS part and add
only Bearer token(Any Authorization scheme)

What to do

As Logic App currently doesn't support Authorization Header, it needs to be removed before submitting request to Logic App. In my case, as I was using APIM, by using Set Header policy - the Authorization header was removed and all work fine then after.

No comments:

Post a Comment

If you have any suggestions or questions or want to share something then please drop a comment