Yes, you can use a custom issuer URL for JWT validation in Azure Logic Apps. Here's how you can set it up:
1. Create an Authorization Policy: In your Azure Logic App, navigate to the Settings and then Authorization. Here, you can add a new authorization policy. This policy allows you to specify claims that must be present in the JWT token for authorization to succeed[1][3].
2. Specify the Issuer Claim: In the authorization policy, you need to include the Issuer claim. This claim should match the issuer URL of the JWT token you are validating. For Azure AD tokens, the issuer typically starts with `https://sts.windows.net/{tenant-id}/` or `https://login.microsoftonline.com/{tenant-id}/`. However, if you are using a custom issuer, you can specify it here[3].
3. Validate the Token: When a request is made to your Logic App with a JWT token in the Authorization header, Azure Logic Apps will compare the token's claims against the claims specified in your authorization policies. If the issuer claim matches, authorization will succeed[1][3].
However, if your custom issuer is not part of Azure AD (like `https://substrate.office.com/sts/`), you might encounter issues with signature validation. In such cases, you would typically need to validate the token manually using a library like `JwtSecurityTokenHandler` in .NET, specifying the custom issuer and handling the signature validation appropriately[2].
Example of Manual Validation in .NET
If you need to validate tokens from a custom issuer outside of Azure Logic Apps, you can use the following approach in .NET:
csharp
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
// Assuming you have the JWT token string
var jwtToken = "eyJ0eXAi...";
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateIssuerSigningKey = true, // Ensure you have the correct signing key
ValidateLifetime = true,
ValidIssuers = new[] { "https://yourcustomissuer.com" },
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("your-secret-key"))
};
var handler = new JwtSecurityTokenHandler();
try
{
var validatedToken = handler.ValidateToken(jwtToken, validationParameters, out _);
// Token is valid
}
catch (SecurityTokenException ex)
{
// Token is invalid
}
This example assumes you have the signing key for your custom issuer. In real-world scenarios, you would typically retrieve the signing key from a trusted source or use a certificate for validation.
Citations:
[1] https://adityadeshpandeadi.wordpress.com/2020/07/23/authorization-for-azure-logic-apps-token-based/
[2] https://stackoverflow.com/questions/56017333/how-to-validate-jwt-token-from-different-issuer
[3] https://gotoguy.blog/2020/12/31/protect-logic-apps-with-azure-ad-oauth-part-1-management-access/
[4] https://docs.azure.cn/en-us/api-management/validate-jwt-policy
[5] https://www.cloudshift.nl/blog/2022/10/securing-your-azure-logic-apps-with-azure-ad-oauth
[6] https://docs.gitlab.com/administration/auth/oidc/
[7] https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-custom-api-authentication
[8] https://auth0.com/blog/how-to-validate-jwt-dotnet/