The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

{tocify} $title={Table of Contents}


Issue



While doing testing after doing a POC on Securing Logic App with Azure Active Directory authentication, where I have put logic app behind APIM and before passing the request to logic app, apim does validation of the token.


 I was encountered with an error

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used


"The request has both SAS authentication scheme and 'Bearer' authorization
 scheme. Only one scheme should be used."


Why it happened


After validating the token which is part of the header i.e. Authorization, APIM forwards the request as it is to backend. As  Logic app is configured as back end, it's url already consist of SAS signature plus the request also has Authorization section and this is the problem.

By default every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format:

https://<request-endpoint-URI>sp=<permissions>sv=<SAS-version>sig=<signature>

As of now logic App only understands SAS authentication only, and there is no mechanism built yet for Authorization, thus it does not support any Authorization scheme.




Although the error says
Only one scheme should be used -- It will not work if I remove SAS part and add
only Bearer token(Any Authorization scheme)

What to do


As Logic App currently doesn't support Authorization Header, it needs to be removed before submitting request to Logic App. In my case, as I was using APIM, by using Set Header policy - the Authorization header was removed and all work fine then after.


set header


If you have questions or suggestions, feel free to do in comments section below !!!


Do share if you find this helpful .......
 
                        Knowledge Sharing is Caring !!!!!!


Learn More about Logic App

 


8 Comments

If you have any suggestions or questions or want to share something then please drop a comment

  1. Do you have any other fix for this.. after doing this change its not working.

    ReplyDelete
  2. What actually you tried? You just need to remove Authorization from header before hitting logic app

    ReplyDelete
    Replies
    1. Hi Mahesh,

      I am trying to do the same with POST request which is coming from ZOOM. I have created and APIM service in azure using my logic App. I have also removed the authorization header from the request header with APIM service as stated above. It still does not resolve the issue. So I am not sure what is wrong?

      Delete
  3. how about operationOptions: IncludeAuthorizationHeadersInOutputs?

    ReplyDelete
  4. Hi Divyesh,

    Did you add Set headers policy in apim?

    check in following post if you missing some step -- https://www.tech-findings.com/2020/02/securing-logic-app-with-azure-active-directory.html

    ReplyDelete

  5. If someone knows the trigger endpoint of the power automate flow,
    Isn't the APIM setting meaningless?

    ReplyDelete

  6. If someone knows the trigger endpoint of the power automate flow,
    Isn't the APIM setting meaningless?

    ReplyDelete

  7. If someone knows the trigger endpoint of the power automate flow,
    Isn't the APIM setting meaningless?

    ReplyDelete
Previous Post Next Post