Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How can I verify which claims are present in the tokens sent by my Logic App


How can I verify which claims are present in the tokens sent by my Logic App


To verify which claims are present in the tokens sent by your Logic App, you can follow these steps:

1. Enable Managed Identity: Ensure that your Logic App is using a managed identity. This involves enabling the system-assigned or user-assigned identity in the Logic App's identity settings[5].

2. Capture the Token: Modify your receiving Logic App to return the headers of the incoming request in its response. This allows you to capture the Authorization header, which contains the Bearer token sent by the sending Logic App[1].

3. Decode the Token: Use a tool like jwt.io to decode the captured Bearer token. This will reveal all the claims present in the token, such as the `appid`, `appidacr`, `iss`, and others[1].

4. Validate Claims: Once you have identified the claims in the token, you can validate them against your authorization policies. Ensure that the issuer (`iss`) claim matches your Azure AD tenant ID, and verify any other necessary claims like `appid` or `groups`[3][10].

5. Debugging: If you encounter issues, simplify your authorization policies to check only essential claims like the issuer. This helps isolate problems related to specific claim checks[1].

By following these steps, you can effectively verify and validate the claims in tokens sent by your Logic App.

Citations:
[1] https://hybridbrothers.com/using-managed-identities-in-logic-app-http-triggers/
[2] https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles
[3] https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation
[4] https://turbo360.com/blog/logic-app-best-practices-tips-and-tricks-10-fix-connectors-or-api-connections
[5] https://stackoverflow.com/questions/58821345/logic-app-calling-webapi-with-managed-identity-what-kind-of-token-is-added-to-re
[6] https://community.auth0.com/t/token-not-working-in-azure-logic-apps/48174
[7] https://www.codit.eu/blog/service-bus-claim-check-api-app-for-logic-apps/
[8] https://www.reddit.com/r/AZURE/comments/wzlsle/noob_question_how_do_i_tell_if_a_logic_app_is_on/
[9] https://marczak.io/posts/2019/08/secure-logic-app-with-api-management/
[10] https://adityadeshpandeadi.wordpress.com/2020/07/23/authorization-for-azure-logic-apps-token-based/