To ensure that only valid tokens are accepted by your Logic App's authorization policies, follow these steps:
1. Configure Authentication in Logic Apps: Use the authentication option in Logic Apps to specify the issuer and audience. The issuer should be set to `https://login.microsoftonline.com//v2.0`, and the audience should be your Application ID from the app registration in Azure Active Directory[1].
2. Include Authorization Headers: In the Logic App code view, add `"operationOptions": "IncludeAuthorizationHeadersInOutputs"` to the trigger. This ensures that the JWT token is included in the outputs of the trigger[1].
3. Use Azure Active Directory (AAD) for Token Validation: Register your application in Azure AD to obtain a client ID and tenant ID. Use these to generate an access token that can be validated by your Logic App. Ensure that the token's audience matches one of the allowed audiences for Azure management resources if you're using the Management API[9].
4. Implement Additional Security Measures: Consider using Azure API Management (APIM) to add extra security layers such as IP filtering, rate limiting, and caching. APIM can also handle OAuth 2.0 and Azure Active Directory authentication, providing more robust security options[2].
5. Validate Token Claims: Ensure that the token claims, such as the audience and issuer, are correctly validated against your Logic App's expected values. This can be done by checking the token's contents and ensuring they match your app's configuration[7].
By implementing these measures, you can effectively ensure that only valid tokens are accepted by your Logic App's authorization policies.
Citations:
[1] https://autosysops.com/blog/parse-jwt-tokens-in-azure-logic-apps
[2] https://turbo360.com/blog/logic-app-best-practices-secure-your-azure-logic-apps
[3] https://techcommunity.microsoft.com/blog/integrationsonazureblog/authenticate-standard-logic-apps-using-oauth-2-0-bearer-token/3269576
[4] https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant
[5] https://www.youtube.com/watch?v=ZVIJhVe0muU
[6] https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
[7] https://www.linkedin.com/pulse/securing-request-based-triggered-logic-apps-using-azure-senih
[8] https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
[9] https://stackoverflow.com/questions/75551840/invalidauthenticationtokenaudience-authentication-for-logic-apps