I have developed a solution using Azure Logic Apps and ApI management in Azure. API in Azure APi management call Azure logic App workflow [http trigger] as backend service.
The solution works fine with Azure logic App on one resource, Test. When I create the same logic App in another resource, Pre-production, I am receiving 404 Not found error.
I have two resource for API management [Test and pre-prod] and corresponding two logic app resource groups, [test and pre-prod]. The connection from both API management API is successful to Logic App in Test resource group.
However, when I try to connect to logic app workflow on Pre-prod, I am encountering 404 Not Found Error. I can select the workflow as back-end service through API management interface.
I have tested Logic App Workflow using postman and it works fine. It is only the API in API management which cannot connect.
I try to investigate using Trace but it does not provide any clue.
Any suggestions and help is welcome.
I found the issue. It was a return status coming back from logic apps, which was resource specific. otherwise, The call from API manager was going fine.
Related
I am trying to build an app where users can sign in using their work Microsoft account through open id connect. All of the documentation on Microsoft seems to suggest that for React/SPA apps you should use the MSAL library to authenticate users but this seems to cache the access tokens directly in the brower through session storage. To my knowledge this is bad practise and a backend for frontend approach should be used for this scenario instead where the access token is stored in a HTTP secure cookie.
Does anyone know how to do a backend for frontend type approach using Azure Active Directory? Is there support for this using Microsoft Api's or do I have to just write the code from scratch?
Thanks for any help
You need to use a server side solution to issue application level secure cookies. It is not specific to Azure AD.
The Duende BFF solution is .NET based, and uses the web host, eg https://www.example.com, to issue cookies. See this code example and the docs.
It is also possible to issue cookies via a utility API that runs in a sibling domain of the SPA, eg https://api.example.com. This is a little more complex, but provides options such as deploying the SPA to a content delivery network - see this code example.
I have an Azure Logic App and Azure API Management. I need to call the APIs from the Logic APP.
But when I try to add the action "Call an Azure API Management API" I get this error: "GetCallFailed. The API 'apiManagementOperation' could not be found."
Any pieces of advice on this error?
It's a Logic App (Standard).
According to this Documentation, Functionalities in Standard Logic app are either limited, unavailable, or are not supported.
Some built-in triggers and actions are not available, such as Slider Window, Batch, Azure App Service, and Azure API Management.
While connecting to your API Management directly, this feature is available in the Consumption logic app - Azure API Management.
Currently, the only option available in the Standard Logic App is to use an HTTP Connector.
I have an intranet Blazor Server application created using the Visual Studio template with the Work or School Accounts authentication option. Everything was working beautifully when running on my local machine and when the app was published to our development environment. However, once I moved the app to our staging environment, the application would sometimes crash after authenticating the user in Azure.
After troubleshooting the issue, I believe the problem to be that our on-premises staging environment is load balanced (mimicking production). Our dev environment is not load balanced. I think what was occurring was that once authenticated in Azure and redirected back to the application, the user doesn't always land on the same server due to the load balancer. This breaks the Signal-R circuit and caused the application to crash. This also explains why the error was random; happening maybe 2 out of every 10 logon attempts. To test this, I removed Azure AD authentication from the application and allowed anonymous access to every page. The crashes stopped.
My question is if anyone knows of any workaround to get Blazor Server with Azure AD authentication working with an on-premises load balancer. I searched all over the web and the only workaround I found was to use sticky sessions with Azure Signal R service. We are not hosting apps on the cloud yet. Is switching to Blazor Webassembly the only option if I want to use Blazor with authentication in my environment? Someone at work suggested switching the application to use our on premises ADFS server. However, wouldn't that encounter the same issue?
For reference, here is the code in startup.cs ConfigureServices method that sets up the Azure authentication in the application:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
I found the solution to this and am posting it here in case anyone else is facing a similar issue.
It turns out the problem wasn't SignalR or anything specific to Blazor Server. After enabling the developer exception page on the load balanced environment, I saw that the error was "Unable to unprotect the message.State". The application state is encrypted by middleware before the user is authenticated by Azure AD. When Azure AD posts back, it includes that encrypted state which is then in turn decrypted on the client side by the middleware.
The key needed to decrypt is by stored on the web server. When in a load balanced environment, if you land on a different server than where you started, the middleware will then be attempting to decrypt state with the wrong key. This of course results in an error.
To fix this you have to store the keys on a central location like a file share instead of on the server itself. Implementing the fix is actually simple. Include the following line in ConfigureServices in startup.cs:
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(#"\\server\share\directory\"));
There are also options to store keys on Azure if that is preferred.
This post by Kevin Dockx is what finally gave me the answer:
Solving Correlation Failed: State Property Not Found Errors (OpenID Connect Middleware / ASP.NET Core)
I have web app written in react which is Single Page Application. Then I have back end API written in .NET core 3.1.
As I mentioned earlier I have web app written in react so this react web app has to call one more API to read some configs. This third application is also a API application written in .NET core 3.1. As soon as web app spins up, it will call this third APP and read configs like API URL of second application and other azure related details. Now this third API app should be protected. Only web app should access this app and not any other users.
So I am trying to find what are the best scenarios available in azure AD. Can someone help me to understand the possible scenarios to handle this?
What you seem to want to accomplish at the moment is for the web application to access the third API application. If this is the case, it is simple. The steps are as follows:
First, you need to expose the api of the third API application protected by Azure, which can be configured according to the following process
Azure portal>App registrations>Expose an API>Add a scope>Add a client application
Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions). This is the process of defining the manifest.
This is to grant permissions for the client application (You can find your expose api permissions in My APIs.):
Finally, you need to obtain an access token using the client credential flow where no user is logged in:
Parse the token:
so as per you description It seems you want to permit only API application to access your third application.
One thing you can do you can create a user group and give acess to your API only and put application restricted to this group only.
See this hope it will help
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
I have an Azure app service that is protected by AAD Express Authentication; I intend to use API Management Service to manage it, but when i import the api in the management service and test one of my get function; it says 401 Unauthorized. I have tried adding "validate jwt" policy but I think I am doing something wrong. Can you tell me the correct way of making the connection to the AAD protected app service thru Api management service?
Azure API Management feature allows you to expose apps deployed in Azure App Service to manage, protect, and secure APIs.
To start using Azure API Management, go to the App Service extension, and follow these steps:
Select a new or existing API Management service instance for exposing the app.
Manage the API—apply policies, edit or download an OpenAPI
specification file,change the API configuration, or navigate to the
API Management instance.
Please refer to this document