Azure Logic App not able create client certificate authentication with converted base64 encoded pfx

Question

I want to get the token information for ADP Client through Azure Logic App. I have the Client Certificate from ADP so I decided to use HTTP trigger from Logic App and selected authentication type "Client Certificate". Since I cant directly use certificate in Logic app so I converted certificate into base64Encoded .pfx format, and certificate is not having any password. below is the sample code for the request

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {},
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "triggers": {
            "HTTP": {
                "inputs": {
                    "authentication": {
                        "pfx": "convertedbase64string",
                        "type": "ClientCertificate"
                    },
                    "body": "grant_type=client_credentials&client_id=ClientId&client_secret=client_secret",
                    "headers": {
                        "content-type": "application/x-www-form-urlencoded"
                    },
                    "method": "POST",
                    "uri": "https://accounts.adp.com/auth/oauth/v2/token"
                },
                "recurrence": {
                    "frequency": "Month",
                    "interval": 15
                },
                "type": "Http"
            }
        }
    },
    "kind": "Stateful"
}

above request returns me bad request, can anyone help me what is going wrong here?

For converting into base64 I used below steps in power shell
$pfx_cert = get-content 'C:\sample\adpcertificate.pfx' -Encoding Byte
$output =[Convert]::ToBase64String($pfx_cert)
$output

I tried same request with client certificate using postman which is working fine, but not able to get succeed with Logic App.

Any help is much appreciated.

Answer 1

There are only few differences between the headers sent from Postman and the Logic App. The main difference is that Postman also sends the accept-header: "Accept": "*/*" and leaves out alle the x-ms-* headers from the logic app.

I created a Logic App with http-trigger, which I post to from Postman and Logic App to inspect the changes:

With Postman

{
    "headers": {
        "Connection": "keep-alive",
        "Accept": "*/*",
        "Accept-Encoding": "br,gzip,deflate",
        "Host": "....westeurope.logic.azure.com:443",
        "User-Agent": "PostmanRuntime/7.28.4",
        "Postman-Token": "...-baea-4e89-9bf6-490a63968b5d",
        "Content-Length": "76",
        "Content-Type": "application/x-www-form-urlencoded"
    },
    "body": {
        "$content-type": "application/x-www-form-urlencoded",
        "$content": "Z3JhbnRfdHlwZT1jbGllbnRfY3JlZGVudGlhbHMmY2xpZW50X2lkPUNsaWVudElkJmNsaWVudF9zZWNyZXQ9Y2xpZW50X3NlY3JldA==",
        "$formdata": [
            {
                "key": "grant_type",
                "value": "client_credentials"
            },
            {
                "key": "client_id",
                "value": "ClientId"
            },
            {
                "key": "client_secret",
                "value": "client_secret"
            }
        ]
    }
}

With Logic App

{
    "headers": {
        "Connection": "Keep-Alive",
        "Accept-Encoding": "gzip,deflate",
        "Accept-Language": "en",
        "Host": "...westeurope.logic.azure.com",
        "User-Agent": "azure-logic-apps/1.0,(workflow ...; version ...)",
        "x-ms-trigger-callback-url": "https://....westeurope.logic.azure.com/ <...>",
        "x-ms-trigger-type": "Http",
        "x-ms-workflow-id": "...",
        "x-ms-workflow-version": "...",
        "x-ms-workflow-name": "myworkflowname",
        "x-ms-workflow-system-id": "/locations/westeurope/scaleunits/...",
        "x-ms-workflow-run-id": "...",
        "x-ms-workflow-operation-name": "HTTP",
        "x-ms-execution-location": "westeurope",
        "x-ms-workflow-subscription-id": "...",
        "x-ms-workflow-resourcegroup-name": "..",
        "x-ms-tracking-id": "...",
        "x-ms-correlation-id": "...",
        "x-ms-client-request-id": "...",
        "x-ms-activity-vector": "...",
        "Content-Length": "76",
        "Content-Type": "application/x-www-form-urlencoded"
    },
    "body": {
        "$content-type": "application/x-www-form-urlencoded",
        "$content": "Z3JhbnRfdHlwZT1jbGllbnRfY3JlZGVudGlhbHMmY2xpZW50X2lkPUNsaWVudElkJmNsaWVudF9zZWNyZXQ9Y2xpZW50X3NlY3JldA==",
        "$formdata": [
            {
                "key": "grant_type",
                "value": "client_credentials"
            },
            {
                "key": "client_id",
                "value": "ClientId"
            },
            {
                "key": "client_secret",
                "value": "client_secret"
            }
        ]
    }
}

Solution

My solution would be to manually add the Accept-Header in the post request in the Logic App.

"headers": {
        "Accept": "*/*",
        // ...
    },

I sadly don't have an ADP account to verify this, but I've seen other APIs break when no accept header is sent.