Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How should I configure HTTPS to protect JWTs in Azure Logic Apps


How should I configure HTTPS to protect JWTs in Azure Logic Apps


To configure HTTPS to protect JWTs in Azure Logic Apps, follow these steps:

1. Ensure HTTPS for Logic App Endpoints: Azure Logic Apps should only be accessible over HTTPS to protect data in transit. This can be enforced using Azure policies like "Deny-LogicApps-Without-Https" to ensure all Logic Apps use HTTPS[2].

2. Use API Management for Additional Security: Place Azure API Management (APIM) in front of your Logic Apps. APIM provides additional security features such as OAuth 2.0 and Azure Active Directory (AAD) authentication, which can be used to validate JWTs[1][4].

3. Validate JWTs with API Management Policies: Use the Validate JWT policy in API Management to enforce the existence and validity of JWTs. This policy can check claims like the audience to ensure only authorized requests are processed[1].

4. Secure JWT Transmission: Always transmit JWTs over HTTPS to prevent eavesdropping attacks. This ensures that the JWT is securely transmitted between the client and server[6].

5. Store JWTs Securely: Store JWTs securely using mechanisms like browser cookies or secure storage solutions to prevent unauthorized access[6].

6. Implement Client Certificates for HTTPS Requests: If your Logic App needs to make HTTPS requests using client certificates, upload your .crt and .key files to Azure Key Vault or Blob Storage. Use these files in your Logic App's HTTP actions to securely send HTTPS requests[5].

By following these steps, you can effectively protect JWTs in Azure Logic Apps using HTTPS and additional security measures.

Citations:
[1] https://techcommunity.microsoft.com/blog/azuredevcommunityblog/part-4-secure-your-logic-app-using-api-management-8211-validate-jwt-access-restr/336802
[2] https://www.azadvertizer.net/azpolicyadvertizer/Deny-LogicApps-Without-Https.html
[3] https://adityadeshpandeadi.wordpress.com/2020/07/23/authorization-for-azure-logic-apps-token-based/
[4] https://turbo360.com/blog/logic-app-best-practices-secure-your-azure-logic-apps
[5] https://stackoverflow.com/questions/78261501/azure-logic-app-https-connection-over-ssl-using-crt-key-files
[6] https://www.softwaresecured.com/post/how-to-properly-secure-your-jwts
[7] https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3/
[8] https://auth0.com/blog/how-to-validate-jwt-dotnet/