I'm trying to create an event grid subscription that will call a logic app every time a blob is created.
To protect the logic app http endpoint, I've enabled AAD Auth following this documentation:
Enable Azure AD OAuth for your logic app
I then configured eventgrid to attach an oauth token while calling the logic following this documentation:
Publish events to Azure Active Directory protected endpoints
While creating the subscription, I received this error:
Deployment has failed with the following error:
{
"code": "Url validation",
"message": "Webhook validation handshake failed for https://prod-07.australiaeast.logic.azure.com/workflows/5aade5e78ff84281baf17c0ab70a35d8/triggers/manual/paths/invoke. Http POST request failed with response code Unknown. For troublehooting, visit https://aka.ms/esvalidation. Activity id:4d430ada-82ee-43a6-8ad4-467f6de611d8, timestamp: 7/17/2021 12:44:13 AM (UTC)."
}
Using requestbin, I checked that the oauth token was attached (see associated requestbin)
I've also validate that the token was valid by calling the logic (from postman) using the token from requestbin.
I tired the same using a function app and it worked.
So I decided to try exposing the logic app behind API management service and it worked...
So I'm guessing Azure is doing something special with the internal logic app url: https://prod-07.australiaeast.logic.azure.com/workflows/5aade5e78ff84281baf17c0ab70a35d8/triggers/manual/paths/
Does anyone encounter the same issue and was able to work around that in a better way?
Related
we have a problem and i dont see anything which i can do for now. I've already followed for example this article but i does not work for now: Azure Function App as Backend
Azure AD Authentication is configured in our Azure Function App and with postman i can connect with a bearer token to the function app.
Function App Authentication is configured with error 401 for apis
I can see in the browser that there is always this error when we open the frontend app. There is no access to the Azure AD secured backend function app from the frontend: Failed to load resource: the server responded with a status of 401 (Unauthorized)
i exposed the api from the app registration of the backend function app and gave them invoke delegated rights to the frontend app registration like in the blog article. CORS is configured too.
App Reg Invoke Config
is there anything i can do? We login to our Frontend App Service with Azure AD credentials and this token should give access to the backend service function app too so there is nothing unprotected in the public internet. But frontend get always this 401 error.
I tried to reproduce the scenario from my end :
When you decode the bearer token ,
Check issuer url and audience received
Also if issuer url has v2 endpoint ,Make sure the accessTokenAcceptedVersion is set to 2 other wise null or 1
Manifest:
{
"id": "4axxxxxxx039",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
...
}
Try including function app url https://kafnapprepo.azurewebsites.net
in allowed audiences. Along with the clientId of the app and AppId uri
and make sure the permissions are granted admin consent.
In basic terms, I am trying to get an access token to get Azure Cost Centre Data through the Usage Details API. The problem is that I can't seem to configure my service principal with azure properly. I have:
Created the registered app in Azure Active Directory
added https://www.thunderclient.io/oauth/callback in the redirect URL
generated a client secret
Included the following information in my Generate New Token in Thunder Client:
Request URL:
GET: https://management.azure.com/subscriptions/{subscription-id}/resourceGroupName/{resourceGroupName}/providers/Microsoft.CostManagement/dimensions?api-version=2019-11-01
Grant Type: Authorization Code
Auth Url: https://login.mmicrosoftonline.com/common/oauthorize
Token Url: https://login.microsoft.com/{tenant-id}/oauth2/v2.0/authorize from app registration
callback Url: https://thunderclient.io/oauth/callback
client ID: {{client_id}} from app registration
client secret: {{client_secret}} from app registration
scope: user_impersonation
{
Status 401 Unauthorized
"error": {
"code": "AuthenticationFailed",
"message": Authentication failed."
}
}
Header:
Bearer authorization_uri "https://login.windows.net/{tenant_id}, error= "invalid_token", error description="Could not find identity for access token"
Answering my own question. And big thanks to Guarav Mantri in the comments below.
The Scope should be set to https://management.azure.com/.default
The Grant Type is client credentials and not authorization code
The service principal needs to be added to the resource in azure that is part of the request (i.e. if looking for subscription data, then add the service principal as a reader role to the subscription).
I would need to start an Azure Data Factory pipeline from REST API as per https://learn.microsoft.com/en-us/rest/api/datafactory/pipelines/createrun#code-try-0
I have created an AAD app, and given it the Azure Service Management API Permission. However when the client through the OAuth2 Implicit flow receives an id_token and invokes that API to start a pipeline I get
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "The access token is invalid."
}
}
Am i using proper API pemrission? thanks.
If you just want to use OAuth2 flow to get the token to call the REST API, the client credentials flow is more suitable than the Implicit flow in this case.
Please follow the steps below.
1.Get values for signing in and create a new application secret.
2.Navigate to the data factory -> Access control (IAM) -> Add -> add your AD App as an RBAC role e.g. Contributor, Owner, Data Factory Contributor, details follow this.
3.In the postman, follow the screenshot below, fix the request body got from step 1, then use the token to call REST API, it will work fine.
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
client_id=<client_id>
&scope=https://management.azure.com/.default
&client_secret=<client_secret>
&grant_type=client_credentials
I cant test it right now but I would assume that having Data Factory Contributor should be enough for this.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#data-factory-contributor
I'm trying to access metrics data in my localhost (http://localhost:8100) Ionic webapp of my resources using the Active Directory App Registration.
My administrator created a new app registration for my localhost app make it possible to request a new Bearer accesstoken.
After receiving the accesstoken I would like to let the application use this accesstoken to request metrics data.
One of the urls my webapp uses to call metrics (http GET request) is:
"https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resourcegroup_name}/providers/Microsoft.Compute/virtualMachines/{VirtualMachine_name}/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=Percentage%20CPU×pan=2018-10-16T03:00:00Z/2018-10-17T03:00:00Z" with headers:
Authorization: {Bearer access_token},
Content-Type: 'application/json'
Unfortunately, after sending this get request it returns the error "AuthorizationFailed" (http error code 403) with message: "The client '{client id}' with object id '{same as client id}' does not have authorization to perform action 'microsoft.Insights/metrics/read' over scope '/subscriptions/{subscription_id}/resourceGroups/{resourcegroup_name}/providers/Microsoft.Compute/virtualMachines/{VirtualMachine_name}/providers/microsoft.Insights'."
What is going wrong here?
I solved the issue since I noticed that the registered app in Active Directory has no granted roles. I granted a role to this application by navigating to the subscription window and then to the Access control (IAM) tab. In this tab, I added the application which was declared in Active Directory Application Registrations and granted the role reader.
Since I saved the settings, the AuthorizationFailed error hasn't occured anymore.
I am trying to setup Authentication with a Javascript backed Azure Mobile Service. When I call my code to login in I get:
Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: Error: The Facebook Graph API access token authorization request failed with HTTP status code 400
Here is my code to call my Login:
public async Task<MobileServiceUser> Authorize(MobileServiceAuthenticationProvider provider, JObject jObject)
{
return await App.Client.LoginAsync(provider, jObject);
}
Is this an issue with a setting in the Facebook app? Or is it something in my code? Or a setting in the configuration of the Azure Mobile service.